23542300x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:38.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84DB77C775D0BC81DF9E52447A41071,SHA256=9A6A930BE9F7BA4183723AA23EACC0A87062B78DABE3ED92933D4EBE1463D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:38.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB14861DB3530D731C1691A247C91CC,SHA256=6F012284DD2806C4181C9C778184C29ABAC79FCC2A79E8005152F9BD26A2996C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.982{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D0861AF0C876E279D58361200023BB,SHA256=FE7E363D19CCE819FE827B7B5E1E67B2007F9F53F48DB5C86B035D6D7E7B314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:39.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09688938AA186CF8C5FE54E1E49A583C,SHA256=FCE99DAE8DF72C12263902047AB9BD4C78A41FE3B5FF1C2B3258689093D69AB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:35.647{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.234{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539871F7FBA1284EEF717B3BF0CE48B9,SHA256=094DD22E795522EBDF357A5B1B111F0BF4A249E5E199B5246070403138E7E6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:41.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3103E809B3B6D914B39DA033FE4713,SHA256=A3EE2F485CE3F5F18CCEA4A39C45DCEEAF97F65EE7EFF3276CC3C4F993E0235B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.364{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59119-false10.0.1.12-8000- 23542300x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478AC04982573192E8BA809CEA5E80CE,SHA256=89C04D43C0CD0E6440AF3D7BBE5D57F8BBD78E32B38693DCA13ED897433A13A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:42.328{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3783C1AED0A1C490A620E2E2F7EE74EA,SHA256=15AE6FFF7418487DFC2B992BDBB2607011A836A91BED8F3C5CC961D4665F8FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:42.045{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D2DD87EBE23BF0310C855B05A2EA53,SHA256=393D0EDFE6A0A8CF512F66B4CC1C49227611E1DFE3DDAC0E9110A4DEE230140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:43.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4078E63184E04965E00A6798A431F4,SHA256=42E49FB0BA833404FB7F962CEA494D6C2496B37DFA04453FAF0E8AB804A029BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:43.342{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82246BF6D623037B9B77D17177FA4E49,SHA256=E1E320ABC4D29F93E7D472803E1137B2BA89DE9A425F61B2C13C0193DE852A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.694{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:44.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB83ADD53E6DC7EF0C507DE85DE9D699,SHA256=63C903E6B81AB608E141E7E3D79B88A18F4AAE70875E6839B65CB9205DAF8A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.934{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-62350-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:44.073{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C35B334C2BE1C36FC37528F0E9FB2EA,SHA256=A5EA8C14B96F68D72CB658602E0315AF243F55BED400B6DF92FC802CF845DC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:45.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1620D50EDDB95E85A4115473739E32,SHA256=2BA4742A496ED1C7D4152003E580F111EE37EABB65E7A5FFF35151AFB84853F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.089{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89601408B34621F9C94ADEF948FFFC84,SHA256=765724D9B1B1475D4825419DAD889971CD604D89C89892D495D75D334724FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6139AAC871DAA2929A7618FF2E91C3A2,SHA256=DADFF77BFC150E522A2F276E9766E289E24E1FB91B8A2F53F2FCE99ACD5DCCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD4718BB057B5E6A053944C7BD0925C,SHA256=357FEEB367532BA435C9C46C47EAC243F2793F566375D170DF4CD2B1A99665AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59120-false10.0.1.12-8000- 13241300x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 13241300x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 23542300x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:47.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2992656C48C3A21A9F31FD0073F67AF4,SHA256=7157D041C684171520A757B5112A9EA16ABD1C8706837886C8F432759E600AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:47.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF54453820563869087734F09F0A55A,SHA256=290E156D141DD84BA72D14533CDAFDD38A552585FC9907CEFF3ACF387ECDC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7925D7F7BC449B888F68430F58746F,SHA256=787237A595B02B2043E7239A51A906E46D32656AEC7C308DC6143D6D2467BF34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.712{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50806-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:48.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529B9E1AEB64BC6527E51DB14045A82,SHA256=FF2101D0E5B9BAB0FBF4A1B0822E2B8C40386AC3DEC8FC0853439226BFB63EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16322EF181B5362DDA14C402DECBB021,SHA256=BB2AF6910BE68AB299BCE9355BF3E100A3844413EC9B75E5A1CD153114072BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:49.467{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316025230F06715B474E292F1D9141C7,SHA256=1579FEF2823BA12E9B84B687BA1D784135304995859716A43BA4C6F802236C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:49.167{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023B3D3BC3DE841EE2B17F5D337A4315,SHA256=92A8714C1E6D148CA338D6868486DFE8763F3B51B1DD1CFF53335EF068B1A758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.857{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50806-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.679{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com54159-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:50.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07461BCB7FE870315490B0CAEFB1BE30,SHA256=A3DDAA326A698957947682782F1CF00BFAC33D9995829B003607A5AC7B8425A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:50.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102AD9FC5A233F43216E7FAA6A4CC36,SHA256=09B7F975D422ED802BAAF13383E2299C186795471AA5CF96761B5B79A15246DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:51.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5922E5C5E6756B673CE57EC488F487,SHA256=EE060F60177318C74EFF7ACB15052C9D95E7FA2E2E14FADBDCBE822B38CDA3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2F2C9C5A1E1C6AF6C45399E7D47F04,SHA256=0E4C3628E6C0DCFCC64DC36BC7674CC3748D66307ADF81424D8342E8FFD6372B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F8164F627AE33F3898DDEEE48C47B,SHA256=658627F42DF5CD2E8D62A0ED9B3D7498A19E032A1786917047035C4A4996505F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.698{5097E253-90F8-6149-722B-00000000FB01}81523032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.527{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.214{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1232AB2197A5CC76757B42CABB56D7,SHA256=2F15D00DC8460A403D9F7CA5610BEEA351FB23EF79B016A81421E24CD5F62C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:53.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DECED0FF351FE4593A74FD693421185,SHA256=6B070E76B3877CCCE01E574BC9FC7E0451A080E2FE1B7B2C4532581F361C720A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.871{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.230{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401F3D96A2D57548E0E0E232F8612572,SHA256=785CCA4E724377B7711A9645F2880CD79D6DD2C35FA1D6A9471D1D30A1888AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.199{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:54.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0217F9031191CF2EFF1A765FEE06700D,SHA256=2246484B7BF94614E63EBA4A206D900419B51B44FD00ACB0D66C5E6B3336AAC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.526{5097E253-90FA-6149-752B-00000000FB01}73967220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.387{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1650716F4D17FA04772198A072AB68,SHA256=475981F4B04BE049775C7DF4E96305F94020571E74333B8CC0918B376CCC37D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.424{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59121-false10.0.1.12-8000- 10341000x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.011{5097E253-90F9-6149-742B-00000000FB01}15523528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:55.655{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477CA82FCAA6FE1D0744D197A206AB8,SHA256=5AADC7E75B6639932B81DFB657C86816FBFD3495021C69F9FD61408AE1D00AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBEE8474A1D2128D74B48AB005C9BE5,SHA256=4333A80C8CE4EA89FA76AAF1F0512B48B92D6419BAC61156A68C717C25EF09FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.183{5097E253-90FB-6149-762B-00000000FB01}62848028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:56.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F599B9F1EADD093D9FBC6850C2681D,SHA256=A4FA0F4878DD15AC57E12412B085D87554C14EFC101479BF4F6677C5CC8318EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE527B8CB6D5DC6A0A5DAB0370BA954A,SHA256=B540F1EE015D3C9BA7D62473128568B87CBEB612992FB5440D9E427E88E10B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:57.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC7CE72A1399A938C87E88052365F,SHA256=1B8FBF415616981FC75CAC31134FB2C6C78A4F08E3AF144EC201222F4B6E3565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:57.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F9ECDF26916B76B1A484013E49B0DA,SHA256=A7BE8B3D187946863E5395D0EB94EE6A72E6B3305C74B5D400D838AEACF01847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:58.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53C0040036AD48DA1CDF4C8E8E2CE,SHA256=15372CFA80E517842C83353CE05FA651319D16B722524D6DAB8C478EB2D5B6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD9061C1722A39BFFB38B5AE5FF9C5D,SHA256=7A06E5602EA6BE02CC14B1871214C8254F41B2B702F3E2B9A99F32F3DBCC83FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000258667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:59.748{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C09C8CE39BC34C4F3B42A3CA6897C9,SHA256=DC470BA227C9BD7AA2A46ACD11BCC8B2B780ED1C37E63589CC25F9DB56764031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:59.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA4538712D0371B401B7B5DDD29ED3,SHA256=4997216A63EE52B291E9CC4FD4F7BF186E9B55BD1C88920DF2242B9786A36666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59123-false10.0.1.12-8000- 23542300x8000000000000000258669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:00.764{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14BD6EFC3DDE10AA7AFD0AC25111DAE,SHA256=233ED59FCEE17AF4598268CB4FC7EDF8DDC5CB19F6F736BE94A59472DB4A9D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA5D10BF5A4212F46961B9FD2750EF8,SHA256=6CAD947D28A807F4334C26C26DCCC720BEEFF5B0B8E8D5051F67892A4D7A2E9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.600{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.027{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE791EAFF505DF98E157A86D382128,SHA256=AFE47C724D7043412C476F5173782994DB6A27CB55928EADC4B031BC706B2FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:01.795{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37D4A6EE31998F021A4159C43BB3AF,SHA256=7B576817715C58CDBCDFDE631A4ECBE0ECF92CB4D6AF161A96CB9A8E5BC4CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:02.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB56CE7163EC7B13385477CAB3F9387,SHA256=8C1966E96AAD2B1FBEC6AC336A974BB46B1B7D740D61D8ACA3B5A7A2B31D0BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:02.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B984CEC8351D332A85FC2EF02E54FB8C,SHA256=8BCA50A51FCD0E85CB5FBE15E2952CB14B70CE77BAD99AC24A7D0F4845733C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2772712B5D0AB13DBE4344642D30F8F6,SHA256=9A18045696D944372A756E365EB06C5ABEC2C087F446D279E9ECE3A77136EBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:03.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F6778D5F4F66C609BA89F9D86C7571,SHA256=089D58581CDBF4345E5B4A1250F1D3DED97DC60723E5D078E60B3DF9115E584E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.181{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D45A8B3AE5E1772DADB3F2888D3AB43,SHA256=875006647351913B7A3238016C0EF897EF31D83724458309032FA3E2874EC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:04.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0928B061773220240CD4F1C94AFF7FEF,SHA256=04EF51B9150A53C44F4E35E4516EE86F739DE9FF55B3854CEB43EF1E753F7ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:04.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2E719FE15F84190EC5BEB2A1B92E5,SHA256=8667E9539FF40EA7CDCF5882A39C125A1FD6F485BEB2CCDABDE10376D14DE23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.548{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59124-false10.0.1.12-8000- 23542300x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:05.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39203871078D918DCF9FED3F03391B45,SHA256=CFFC333850155E6297DA5671B42A2BB11AA70BD90CC4B81EFA4BF820E596DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:05.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F084D7BFC4A6102D97F94F86A6C6C016,SHA256=01637264866CDFBFEE7179AB36936D052A402D64A12441DA2C6E62455E5C4992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:06.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3C3214D196C87906E6E10239CB450D,SHA256=EAB717A2781FD7F1C30BCCA2F8A62F1CE041A2288169133BB039D637170EA038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97B2E2FE9242E56CEC6470D907FEF08,SHA256=E919628233D191169DEFF373B0191D905D0587BA507F0F6B51BFEDF6D82EEE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3486DB24EDAE499476A36F2A50DB1C6D,SHA256=D7E7029086D4D025C35E56E042DC76F4F40B1FE7A780E1045F85EED432864F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441DDC685D05E2AE55418C4F6AF8CAE6,SHA256=8CADC7B0028373F48F8861AFB82D5E9A9D2BFB1DC59BF957C203D68527D7AEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5880566A273F09D3B8973F1D98AA8AE3,SHA256=52D35080376D2BCAD3EEE4329ED28EE93CCC29F78BC7946DA261F8D45FF0B2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:08.647{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE02F94591CEAD4FA645520A5C788A25,SHA256=E3795DE33EB61C3DA511840A7E436884C3101F2208994CB07F43BCE99F1909D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE0E375DAA2DAC0C058AF02508C8C3E,SHA256=806DC51AEE02CF042F1FE3368917BA43D69884F4878B6CED143D34BF0D6372C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:09.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF44E80799558C422D1B7D4EF107AE8B,SHA256=FAF4594FE459691AB4352E4D5700BEAD847D6FCD90E07A959F0411DD32784FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.997{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50810-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.858{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com53236-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:10.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1DFC1198F9E3CDC2E29A2282698B4A,SHA256=6B0DCDA79D9C8EFE38444AD7978CC26DF710311102B5658D8025A0404B2284C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.736{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.852{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50810-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.419{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59125-false10.0.1.12-8000- 23542300x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:11.803{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36538B0916828A9B86724774DB48220,SHA256=173B828A3657A017353C5AFD70F126E81E9B06E2CF0335DFED4A1BCF1DEDA898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:11.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204395344F30BFAF2EF146F36E58A06C,SHA256=6EC6ACFECD257B3DFC36801FDBE27C246F5C32A5CF4A1C81A28559A6AB769CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.819{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C81A8FBABA0313461A754CD10E255F1,SHA256=7DACE3A0E2ACDE58103AD6FF83C3BFBB1625E4A062596CC85C6C9AADCDF8DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:12.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BFE20AD2FBC6119685188361F88278,SHA256=6C22232A3F3FD6626CC0F91D166E51C4B6383C8DD0D30D771E4B2B54ABD2A9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:13.834{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B9DEBBBDDB99EE15A82BFB4A4C362E,SHA256=10F7095A77D473809489361719FD40A3CB08D1F5CC8BFE51B38B12FE12B8D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:13.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2135042E5326ACD886131C0717219D45,SHA256=470417440EE22CB45981D6F4CC100E7FCCF3C9D19C8C0870DE6493717E2B7432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:14.866{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F3B6BDFC55F05DD69FFDE9CF62E097,SHA256=16FF8AC329AD64966C4B3C269F9E299B0EC450E20E0E04196763A8BBBDA10DB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.528{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59126-false10.0.1.12-8000- 23542300x8000000000000000258689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1FE4C64A5786A953DC8AAA2C5C7F36,SHA256=2B6E0B99838A9C621D143079ADB9E6C5C3674A7DEE4BBD33B5E6265676A55D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:15.881{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02109B8A2B524BE75D144AFC5BD730,SHA256=8F59A8345B47F67A274BDDFB65C15F95A8E98EF4539D1C7E7F093623EF10BF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:15.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03FF4A6BB689A25BD036066B0FCDEE4,SHA256=D51AE5257F42430821C76B05D613324E59229D8E1B344BAABD3B21FDAFF1EEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:16.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D186E412ED423BDD4DED480722943,SHA256=9963E55BAC459386D022D92436C3FFBE6CADB3AB210A2C984C1C5D27F1A2CB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:16.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B16872CEEE4A63ECD859A0C38AC4FD8,SHA256=65C9C74B20EEB703BB44036A9D257A04F7F636EA4B697186FFDA541FCD017CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:17.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C37C7A98670F1A92CEDF84F21D9C6A,SHA256=293FFB911EBB2E76B279658F70124E9C6A9071936E3934FE4E1B6EEB327C0C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:17.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B6D47815E961561AB2855928546E65,SHA256=77F78ED852B71E553CCD19959A931E64FC3C4973A30A59244DAC9422A80A3752,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.705{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C363FA4482654FC933534E03926829,SHA256=8AAC78F090ED94F68050A48B48FD46F4EAD31DB7CD3D094EE4FF24E643EE7164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:18.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83908EEB30160F15D0C996325CDE14C9,SHA256=9D5F9C4B84178872A121E01A37384246AD10F928C8A699A9AD9071E5CAB88C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.959{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1878E0B262473701B233D23BF58ED049,SHA256=5A89DB43C90897DEB3A27AFC9EA4D83B9C1D4CADC2D5F3315DF1C662921FB135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:19.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7FE05D5D5B6163AC8E7B30C7E76EC3,SHA256=05496B5DA0FFBD9B1189E3D3DBB8D0F8A27BB68DE404294C47BAF7CCC5DD01D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:20.975{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A92AB87643A9EF42A6D7F0C4289C34A,SHA256=511B42B0883381D447886A20A1D800BA3381FD5BDC3183BD7FAD2AFCBA223A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.854{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C104BF1E6E346DCAAF74B58810ABDC34,SHA256=85DC21ADEA64FB107922030BEA4BDC8CA84737984A641BEA73113D6CA9EFD755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57118- 354300x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60271- 10341000x8000000000000000258725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.666{C189DCE5-9115-6149-0F27-00000000FC01}9123356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.526{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CEDBB5B0BD340DF324A3EC0059431B,SHA256=FB59A2946F5806A2D432748682337D58404203842A7A09768BF048C7E19BBDCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.925{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57676-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59127-false10.0.1.12-8000- 10341000x8000000000000000258710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.010{C189DCE5-9114-6149-0E27-00000000FC01}3548736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.870{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.369{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7848EC97884270446BEFA62C78D6307,SHA256=44F6FFF7C30F3533FE8AC634FEFAFD59C0B94DB8AA7C711752C83B7AC6BE17A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:22.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F409A682F7979DC459FEC70168B99212,SHA256=298D08F4ADE8DBA54BF4A5BB4B746FC447ED531F189801ACAE6E97A284A4BD6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.198{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B75709A4E2DC75575630EF472DBB13,SHA256=AEFA5758475C92B3F414B10483784260FBAB4B4CCC4635C20B664261B890E41F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:21.093{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50814-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:23.027{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570DB742F69A66C8437B237F502E3D9,SHA256=47B663F7D9781684EA748633D777F6A0DE4F30A9B4E9C5210B3E98B01E91E4FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.162{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu49580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.764{C189DCE5-9118-6149-1227-00000000FC01}40723400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.593{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A33B37057EE7D03E85D823A14F82C,SHA256=48F022DD162CEEE7D71B334490C8D2052421D76893231B9232124B616E60EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA4DAA4DB345A86C0F0724ECF84DDED,SHA256=9B38A01568B764D2AC79131305BE3D3E80D3058492EAD69A8DEF6E65A6374542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.237{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50814-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000258790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A247F034EF4F9A238DFAA3FCF216CFCF,SHA256=70B03C7DB7E1D84AFFCA0DFB487F8A6A25BF3917F63948FBBAAB2B4EA17E4CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545C771E92F3F351461304CF4774E764,SHA256=AF703877901D7001A4528C8034CC515350BFE266C13A9028F9AD76AA17DE5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:25.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921188D96471CF60EE35B1833667BE00,SHA256=1927D075B13B170C73C886C2D45F571B7B2C9572072538F4CB64414881D019B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.436{C189DCE5-9119-6149-1327-00000000FC01}18403268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.265{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000258805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:00:26.858{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebe-0xbcff5058) 10341000x8000000000000000258804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.828{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4384D16D8E580D0341083DFEC79CCFF3,SHA256=D28B887A0A2FDCF6561804C60CC248DD7F7A37917D1E13ED4503FA1799A3C752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:26.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F7872AF5C737C9E9C6B9480738A64,SHA256=FC61CEE2B4B978A11B230CABA71656E4B4217F810CA8E98803F1AD2869DA4BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.922{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEA733195164B530D36E265968FDE50,SHA256=B843E7906F71EC2C95491D56E9C0CA1C2B33258F6F06F0ED7AC28129EF26B701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.891{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D5E58286D628B404C23FAB45EE528,SHA256=3E753FC90F95AA3557BF5D29525CEDFCC6AED8D56EAADF283CCD3CEF33062A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:27.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F360AC8360613ED90470E1078FE47A5,SHA256=0A1BBB11521989BEB663CBA3383E683CD5F922317F954C44575AAE6AE35F0A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59128-false10.0.1.12-8000- 23542300x8000000000000000258809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:28.953{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADFA01C44877E42428E9B0641EA4A09,SHA256=FAD644B3BBE1E5901C532EB4289D6664DE66F824EF929B9518A4EAB0FCCCF798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.605{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D5419F56BC1EF8850247801AC99CB5E,SHA256=09681B272894EA725C4CBFDD659B562609D036DF5DF0B392237CE869EA72A9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3476A2A81332A82DEDB0394F36C4C91E,SHA256=24440BE8054149CE06056915620593963C6C953B27FD8F04945E413488F94953,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.553{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.969{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBBA802AE5EF1085BC9A5F90870E272,SHA256=AA79B51C06D5BB64F8926B3A68A11269289272C9190C1B7A89EF7286305A1D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:29.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113BA59F6A740E908887668C8C3A1D12,SHA256=4043B74272414615428A4988035F78E1A72DB7B43D3D13F6C3BF3A2560000EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.203{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1367MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.169{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC40C732EECBA1CDAD676542E5ED73D7,SHA256=36FB648A998E2583A435454BD6BAA0CF6F3CA5D4A0834C2C33BA19EFD3C79A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:30.985{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E433AF506A9E7B635F1AF3EF2B8C719F,SHA256=019F746091BAE0683092DD85B3BCDEA0B5059C96F0B7C74461F491922CFF5F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.207{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1368MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.189{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17395F157A711013D5EFD09928D70178,SHA256=E9870F2FDB62C4FBD53A30FE5CCF4F535E81C42CA403E608EC8EF28AEA56CFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.241{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com52066-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.000{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F68A5EE519EB518880D76FE0DFF719,SHA256=86B13169A688D927AA8087354A02D15F0841A3FA39CA3109B690D9C427A12C64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.208{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXEC:\Temp\remcos_mod.7z2021-09-21 08:00:32.208 23542300x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.192{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DEE4B02AF3CA083378944EB43CE5F5,SHA256=4FD909A5F3FBE8BB50542ED17C670E09F7F31298D1108E2B0148155880A702BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:32.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D0BC3B92ACCF8D045DB4374345A723,SHA256=241507C206075DDB83C3099B5EC7FEDBB98FF8E34ACF176742F21B97D9520A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:33.364{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF10E0659A6F8AEF5C9B9235F32B87,SHA256=FB5D1A0A0BACE7DE175A17C306D8FF1AA3BE11BFACA04B1BB082EF9CA2BFCA06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.725{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:33.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568B58150619801375161FE35FBF42F,SHA256=83069AA6FCEFF5AC43670C3667CCC9915EA7F4F749BED34F6AA3A9F17BF6B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.508{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59129-false10.0.1.12-8000- 23542300x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:34.380{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D576046F64B83A55BFCCA37453C173E,SHA256=A46E1771D1A8C2BEA4DC46C09116250F4118DF39E119BBE16798868615A98ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:34.110{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F76006585B612A9DFBC8350D97DF45,SHA256=4525F78D07E3A6E9E33EB7E733BAAD1670CF0F2D9471F65CF2EB552270649181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.395{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F334B0503BB2FCB71A59A957789BB72,SHA256=EBEF3340310C1EF9A905C2D6C9A1E5A7AF423259DEC3C7D3C23A112B7461EAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.125{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B25F312857DAD20A427102D5E3C29F2,SHA256=50699089BDB2DACCB8DA0014BF0EF449508F2B03BA8E26AA82A045A08D91C02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\eventvwr.PNGMD5=4310123299C0DE80A83539CC13497AEA,SHA256=82CB3CD93C41AC8ABBCC79FCE4B7A12B30694C53E8C0A80DD982C6E104D0EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\download_c2.PNGMD5=EFCDDB4CAF355DD94AD161D767A77E77,SHA256=76626AB1A7D570CC27703E45A386F8C4714D838FF05E8874710EED6B8ABA1E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\disablelua.PNGMD5=EB310408CE2C27535BEE16AF2EF03C88,SHA256=83AF023E44E17688D5FC9174E460F5A56DB3659AD701B01D52D8CE7EFED2DD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\defaultbrowser.PNGMD5=D7DBC4EEAA3F88ABBECF063EDAC65EFD,SHA256=0CB3B183066E70111472490E53428D5730CF0BAE1F1EB0693DA30CEE830B4229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\connect_c2.PNGMD5=0BEE1CF9D17446150D3957ADECA1CF82,SHA256=334BED420901306E5CA2A7EBC27F610355CB7125CAC1EFC3E4CA73300A20776C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\computername.PNGMD5=DB121942755F1513B8EA34C8AC96F74D,SHA256=E89D9606414AFDBF6DAAC4B3B672773E7A459BADAB4AC28E1943619A0AC6A9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\clipboard.PNGMD5=0BCE5E0CDF5EA568FE1AFDCB672D24A9,SHA256=F779E599477D58A21B56FC1956D8E185BD0FABBCB8961A53770EEE9BCA0D53D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrom_store.PNGMD5=DE0F8C01D8F793CBF1B4D6C4527B8E39,SHA256=AC4C444E26397FC561CF04F441C4BFE970D60A82C4398D11B624C08A40C21A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrome.PNGMD5=3522F023BF774BF97B9C47C89A3B1CA9,SHA256=5351C8DFB249D9AAE604CD7CD36B1F22E7A0BA7D6D2C522EF262EA466C283C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\checkproduct_os.PNGMD5=37FF921B67307174D9C2B3B1A5B8F74A,SHA256=A5CDF5FEC2DC9D08F0957EE4B89E7F6121791509E6C43130358B95EC43A102E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\audio.PNGMD5=B72D26D029577E4C7812297065A1ACF2,SHA256=14FEE2D3C7ED3F5E35CD13A600748F1402CFB8207D141E05ECDE33E198146D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\antidebugg.PNGMD5=FE2946BA88F7B07EC3FC21359B861BB8,SHA256=D411EEF7954D9196B6B3ACF6F4C0F5AAEE1C7E5EF97F429A1D590CC43ACB27EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86ED6DC08AA78225026C3ACEBA1AE691,SHA256=32E230B20541F9861783EC3A1D9E8809704494C73616B36A0F435792FDA293ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EFC3D521E7F4E1EF82FD178C7E64274,SHA256=D0A49028465B738B020F78A79E63797DA87A5D3FEBAFE000285E27952388B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1395A323315655368A8A2023C238BF,SHA256=4DF70E3D514083FFA52630316E79A09F8A384C7811D4F8FE87D0877BFFF51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.203{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.141{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED37D320BC21F70846EF776FE32FCDD,SHA256=DFE07C53D5CF590A5CC8BAB0A9E314DBF9C2213B834B729A378F3FBC516C9E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.380{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.301{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307D94E1FFAFB5C6045C62A564CF3736,SHA256=56010C2EA90A4B1EDFDE2715A5B0A6A631AD8830AEAC8662570E6C899D3C8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E3533648C1666D24BDA8B3A0D7BA28,SHA256=24E870AAF82F4B686A6D328ED710E35ECE481628667B19D8675D898017A397D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.678{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.318{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1359MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.159{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F533D50FF13FF5776A5BB19C4E764753,SHA256=A62CA55EA8C5A2F47708394C951B659140C8D845C07EA12F0615E67614EC05AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.052{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics.7zMD5=1D304F91AD4B5B4390D0C5533E92DD11,SHA256=BDD4423FB108C205BED35302CF8C48B0EDFF3B49090CBBCF7FA7DD902159C109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uninstall_bat.PNGMD5=38EC19DD6B6E3A7D8F3DB020D01C553C,SHA256=E3CAB5294676EC473CFA2D6D6CD3E69275D7DA7D56B80781C1EC6D044871E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uac_bypass.PNGMD5=B1452CFD7B184C4B863E0F9A97C2F85E,SHA256=28677CF719C4E8BBBDC2D0AC00B494894581E57A3487CC7B5515AA15DF1264E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\screenshot_png.PNGMD5=C1022DBB7301A8010355892510DA03A1,SHA256=EC85AE2BB87D20FCB223F2F39C5B866C558AAB369317FF6E9D6E991F7421966B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\regrun.PNGMD5=2771BC6BF2FD46253BB9025CFF3B9AA6,SHA256=EECEDE22F2815CB4CE3DB58C60994D9813B57E5326FD371DDC94534BA4C158D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\record_camera.PNGMD5=23914BCC65C5007287E5189A30875A36,SHA256=3CBC911BE8B8DD182F89BF150E361B620C131CD285BDAFB81F36F15D5774B8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\origmsc.PNGMD5=B53DBF593ACEF432507BD5823B18BD42,SHA256=85DB4C3F9AF32E18FCBA7054C6B2D81C6763A575D71B374968FB4454B4869638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\openmutex.PNGMD5=82E4B21DAAF15FF1367D5133D2460FD5,SHA256=FB43A0AC87555215526C2B58D0405B79006ABC70D6C117F74F0536FD8D2317C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\notes.txtMD5=837223B183FB387B786EA13826F0B630,SHA256=D2AAC537C5A5CD72481A87AE767039C9D6C070534F32D484B9245DB0DEC70AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\key_press.PNGMD5=1B909ACA120FC4287C85381F486BDD72,SHA256=933A9BE08882F9A0BCD77859D80D6464C4CCFCF91F60ACB2725313C7C7AB51C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\inj.PNGMD5=21F0FAD6A6DED792A6D3F904B237FFC8,SHA256=EC3CD98D0AF0CCC660911A1E90792465D655B15CE600F700EFC30661906B84F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\ie_cookie.PNGMD5=0F5C7A8AAF53F4DBCAE5CB32D07966A7,SHA256=4EB849517E805DD7D714A6B35BDDCD2D019A3F3C39F580558656D02781B8AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\firefox_profile.PNGMD5=2D2613692AAF836FF251998CB67C8EB2,SHA256=12BD04024F6339D471101A5423CBBEFCD0058F0C04C31A5CE006B1F1D6C3736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\Exepath.PNGMD5=26590D43406AF7E7F59B8214A32283D7,SHA256=79FBB7693E8773C312E0AE6FF697BDA0C8D9A14EE744A11B11C964AFBF079385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:38.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CBEC9996AAA269B9BDD8E1577CA47D,SHA256=3DF7AB665E71B49CDDB1B01DA04A259A4B293D2DA3EA5D05DF934BB1A96F6E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.317{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1360MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFA13D5A475BD6E4E4078A8DFC13C18,SHA256=DAFD13BA07861A2DBC93A3EC1EF48984E46094970BDA0E1CA6DAB3469EE0993F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.604{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59130-false10.0.1.12-8089- 23542300x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:39.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A22E206EE466FE586C5C8FDBBECC3,SHA256=FDDF983EACF4296E22FCCE120DF469D9CD7F490F8111FA0E5ACD43CF528280C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:39.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F87A47400162B0F0E98FC41AE5F6D83,SHA256=BCAAE3E69FEF3502CD101B44F2E39C390F9C506A7F2F97C1804BC85F596015D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.448{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59131-false10.0.1.12-8000- 23542300x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:40.458{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C7BA170060B29A0C7F421489F70F27,SHA256=B82CBD6F3F677EAFE3420BA5E167C8EE3F83881B61F8EE55A12B25C526791F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:40.223{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0DBC918DB04255B9CD2E91491EEB5,SHA256=52394A70C1709CEA25F20CB932092B40A9FD2E9367B9F204841C472D66D58B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C04AC57F064B5FBC8AC2341415F907,SHA256=0F9E233D5159E361F9CE4360B0D513B65CBA5DA88A90FB6DF7589C0D5ABEB665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:41.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B700AC399F712A9357955A0DCA236112,SHA256=AB2D83601811F7B9D0FADD3643BAAB426A7F002DBA82D4EC2123E5D74D062DC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.161{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.036{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.005{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.014{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap31747:46:7zEvent14784C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67A65B1A1AE6877C268C245C5F257AC,SHA256=4390DAE4FAC79367DBC7FE8F8797D185F39C8FB06BC6C8A91FEA37F49DDDA28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E17EB2CFDCDAAE21F3B9108A0D4D86,SHA256=BD63396240F62A4CF20F4556426C2A85E942DB25DF138944500C31E9FA0BEC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2892C8B1E7393CD84240D3F5D103917,SHA256=8FC7F0C1FDBBAE1446C1839F4709AD6A947D5FC0BF953A8291DB77DEEC91FFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:43.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75EFC2291F8F368F2383860A80EDE08,SHA256=051CBFA6FFFB1B321BCC2E28C7A65E49ED10FEA187AB770DEABEB2EAFC84C1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7D2AB2909F3EC60DEFF39BD23C8293,SHA256=6E82BA973CD629058A272DB9E3321BBDA1966EE43629174120E14CB8DA968D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:44.411{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB8569763FAE9FCFB88C824CD57DA5F,SHA256=5711F441D0A8AB84C383475BD9549C8307922F5058D16C59F9AEB921659339FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.563{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exeC:\Temp\remcos.exe2021-09-21 08:00:44.563 10341000x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.444{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59132-false10.0.1.12-8000- 23542300x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:45.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E45156DB32214A22A1D07C94D6C17E,SHA256=95FEC90D7686B75F5A7B9A804942FB041B35FC829665C2B5030491FF4FFB03C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:45.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80BA462DE44FBAB49EB900B9A80690F,SHA256=AA782CDA33A02A50D48F02FD923BCFF7C9AFD51EB66EA99A07F4EB14C0F20FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:46.751{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04274A029C0DC991420227247204353,SHA256=8EFA76C16DF378B2880F733CBDD59C4054247CCA523E3438F847FF80C342822B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:46.458{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4EFF64D6C704FCCA5CAD213AF25671,SHA256=71E76E59769D88185FA398E1301BA6252701E026029C6EBEF2723D8F3D48E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F0B5D84BF1A36CA0C0E93334E9C98,SHA256=71F70659821129907E52D4111F20C356B8B6AA37CFFF0A3450F1DA11A708900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:47.490{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08372FF7B8877C747DDE7E349C305E,SHA256=3385F220ECEFD64B5FFC29EE7D4B07A3BABDB643CE76B2AD33B30EA142BF0F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:48.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3C947345CCEEB04B825F524521ADFC,SHA256=EA43308F361F8C981D933AC09FB3D9D4D0E10A5A7224086DC12F77E9F2A221C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5C23EEDED5F4D6D8531ED5D8E0F74B,SHA256=6D8EA8825A037205C3FC1C8140A8DBF556498C6E872029EA550EF723A8366B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:49.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3C299A3776108A7F715A2A143AC36,SHA256=603F2FC08080FC38C6FB9EB835908E024480D3AA419505C9F74FA10A9DC2571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:49.552{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F4CA97D7CABEC5A642EF759AABF497,SHA256=98D30408C2F7D185D1A2D865E6FD86EE6FDCD5999B0588AFA379392C882A7EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.522{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59133-false10.0.1.12-8000- 23542300x8000000000000000258839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.583{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DCA0666EF3BD5879C78EF4C5E1BAB7,SHA256=58EE271DAB1D09D1544C49CBF47113A322DD0FB3D1FF9292B0E42370B6052766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.891{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:51.599{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FE0173494493EA41641A69238DBABC,SHA256=B8E48644905B2D899C40C35436B2183CB5562DBFC828616448CF5DE57E80630A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.469{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693424E2A177BCA8BB9B5826E23A4F6,SHA256=DF861171F689700E23B8639B7274642B0DEBBF68629FD6527FA9E2CE48A30A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.682{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.615{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A843F002D34864D154F0D7080AEDB7AF,SHA256=9F054252EFB66CF6323F25BE108D690A38BA5C313D451FD4233632E071CDB939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.553{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.695{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50821-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4A86949D1D5AF8B4AA6BA8605BD758,SHA256=FE251E03040C1783BE62E174DAFC5E7F56D54AD08506344D37DA6DF2F39D9B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326B2668DCD8DDDDCB571325E7A3EB3B,SHA256=A8F319D828CC0D9F5F6CD32A1F2798BD80D63C959BAD5A2845F4D0198EF8258D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1417061F14742A0A3556EC26077154EE,SHA256=A396CFE8765BB6074BDCB72C6CD5321FAEDF7A88126BB532C0B6522CF50B467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52514C0F6D23ACEB7085B340A2963498,SHA256=B4C2F47D6A16362766044F99F0B7554B7633077F702178157A6FFFAE989AE979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.391{5097E253-9135-6149-7B2B-00000000FB01}79167776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.236{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.047{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CC57A6BCE0CE6FB775EEF3583D8A8D,SHA256=F5BDA4227B46077393C33A516886FDEB2A6FD343BA323AE47FE1980A1741B3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.490{C189DCE5-4A3E-6148-0B00-00000000FC01}6243592C:\Windows\system32\lsass.exe{C189DCE5-4A3C-6148-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000258846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.840{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50821-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.671{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com51479-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B45398F28D244DD329CBE3FB619DBB,SHA256=FF23449926B13C2510A8BFB35433E97140DBEA881DEA7C2E37C7C7D6F133D19A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.719{5097E253-9136-6149-7E2B-00000000FB01}65927380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.566{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750B81126C6B3E1AC62774C7B809BD39,SHA256=774974DA3244C416245552457FB7F5A6E856D3FF1BEB409E5C9B610523EE493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64EC6DE2DB665072CB1462D87A568E6,SHA256=2A55E6ECBEDB821BDB943A30AA941757D9FF4EB0EE4E26D3D482A5CDEDF3D5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.047{5097E253-9135-6149-7C2B-00000000FB01}69007476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483D-6148-1400-00000000FB01}10362268C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.020{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,soundsC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000258851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:55.632{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4E6F14F6E9AE4D5793E1F0521E2FF1,SHA256=AE60E7E20C2DBB7CC40081250EFBF1F0042FCFF78566F169321DC1D7A631CADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.908{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59134-false10.0.1.12-8000- 354300x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.824{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50822-false10.0.1.14win-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A0E8E85A8E3D95EEFC47EF6AC9E6F,SHA256=2695089EB98DCD90BEBFF437BA2981AD3406B7ECF69FA472586BE8DD1EAB9A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.969{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50822-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 10341000x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.376{5097E253-9137-6149-7F2B-00000000FB01}81122144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.236{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:56.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CACF28EC86C21829A64FA87DF6A2605,SHA256=AA33669426CD87D80145A469B5C301D9B79DC13FB889CED74F59E7AD322C2391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:56.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E91C2C0C7FADB9DA2109106C1F87279,SHA256=DD5D291FA3E7B239AB068B25CB8469B659B047C679C3EB2E631B22DD42EC53FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:57.719{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E148BD65B3E74460DFF4FED86D7C6643,SHA256=112588BE33E58FF52FA5EE1D4CEB3B4A513719DA122EE9A85D32033B659496BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:57.663{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E3CA781C301635A7C808AE85D09D2,SHA256=94B6BE32A9762DDADBBE71F869238510C695A58BA133D1C42FE3EEA42DFD4D11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.637{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.804{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.803{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:58.735{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A6C5038E425CB139DE5935F0EC804C,SHA256=42337A71EBBA29C9FD75E146AAC20D1B5E67EF82D6A347B126D9B5B461EE2BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:58.678{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6EB8C72F94E98FBD186B616BB1762D,SHA256=29F33050891EC4BE91FCA7D4FF63633E4CF44A39E6BB04C36C1BDD913CF2B5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:59.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FBD88B8776B565DDDF58202ECE4BFA,SHA256=B3D185F568A4B6D42D6179D3071F518AA7B65003F13D0C34B76C1C28E23AEBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:59.782{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58804FE57168AE513A2ACB688396C474,SHA256=1F7AA36D21308C28711007092BA8583AE4489850CD5A3CDDC65551A9889B7B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:00.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BF1E188AE49B2FDE4698927EE94D92,SHA256=39385B05B035CF47A60D1B30AED655D52913EF8F81DA5F1F0EC8C8685E193007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795F8D30767BF9E9F0BE50C4790D322A,SHA256=CD14B7CFC77BA64729F28A2B018A44E740059A2D67512330BA019C44B6A6D402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3280DE0A8BD9ED096EBFF6B48FDCDB13,SHA256=12ED44B409477AE235C7564B47873A25CAF790019907716A1A52FF2ACB920F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.922{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{e6327cad-dcec-4949-ae8a-991e976a79d2}\##?#SWD#MMDEVAPI#{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}#{e6327cad-dcec-4949-ae8a-991e976a79d2}\#\Device Parameters\FriendlyNameRemote Audio 13241300x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}\FriendlyNameRemote Audio 13241300x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\0000\DriverVersion10.0.14393.0 13241300x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\##?#SWD#MMDEVAPI#MicrosoftGSWavetableSynth#{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\#\Device Parameters\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\MicrosoftGSWavetableSynth\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0004\DriverVersion10.0.14393.0 10341000x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1031,T1050SetValue2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Beep\StartDWORD (0x00000001) 10341000x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}6244080C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0A00-00000000FB01}6241976C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1031,T1050SetValue2021-09-21 08:01:00.813{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Audiosrv\StartDWORD (0x00000002) 10341000x8000000000000000295730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-9136-6149-7D2B-00000000FB01}51046508C:\Windows\system32\rundll32.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+3c8dc|C:\Windows\System32\shell32.dll+e2157|C:\Windows\System32\shell32.dll+e20b5|C:\Windows\system32\mmsys.cpl+24db3|C:\Windows\system32\mmsys.cpl+24edf|C:\Windows\system32\mmsys.cpl+42f1|C:\Windows\system32\mmsys.cpl+3ae2|C:\Windows\System32\shell32.dll+13b569|C:\Windows\System32\shell32.dll+2b5b03|C:\Windows\System32\shell32.dll+2b6b56 23542300x8000000000000000295728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.798{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAA8F732DC711533A1DEFD1A48D924A,SHA256=636129B3BEB4BB61B0434B755CCC1C09F8C93629183A52119AF74BFFC7B05B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.782{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.782{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.766{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.032{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.033{5097E253-913C-6149-812B-00000000FB01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:01.819{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB40589F099DB20C6A5280B743AACDD,SHA256=0D0B5409404368E93AED811F19FD20C3F831BB3765F778B61278100E6898C9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F30E9D63BA7418CF480079823F2D91E5,SHA256=EF203F4FE88499C9EB4B48C22B3400024EEAA2121FA1A72BCC1C7F6B011091BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86ED6DC08AA78225026C3ACEBA1AE691,SHA256=32E230B20541F9861783EC3A1D9E8809704494C73616B36A0F435792FDA293ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.891{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0662A0719AA488E27B112B770A191CEC,SHA256=144FDE3343A45151486D80C7B951FF1C59F4B2859F8AC3CE4E90490DB47E1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.891{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750B81126C6B3E1AC62774C7B809BD39,SHA256=774974DA3244C416245552457FB7F5A6E856D3FF1BEB409E5C9B610523EE493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A35D5BFA4131CE3A675355B99844F6,SHA256=D08A99CE1843677E5D2681DE719C749A42869E205EA8321D556BF9194A2C8D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:59.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59136-false10.0.1.12-8000- 10341000x8000000000000000295827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:01.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.850{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D80F84A967D1D1ACADAED12779332A,SHA256=2DA7C7670B19BB5C09706878469444CE4E8DC4E1965AEC02FFE84797EB2FB77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:02.813{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA485433680B5DDB513A31DF941236,SHA256=AF6CABB2315DA3CF80C8DC7216D2D822EEB303BCC37075CDC3246D93B7B1A901,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:00.590{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:03.826{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ACD4ADCEBF793410E64F07627BABEF,SHA256=2696198C2239A8F3D605D9E71F8D89E00B385720E8A97EE92365408CDF0D2176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED92FFF2444FDE4B68ADA92D68155983,SHA256=1D15043640FFD0F8FC23EA2D268EC1EE8DC6E47837975028891D3214FEDEEDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.190{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D391427DBA487845460A196240D35E6A,SHA256=3DF226A5CA98C611EF2B218B09AF65143D8E85B6F5E1361B3058EB5DBC3A1448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:04.873{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA543EF11E390A3B2422DA987A4855,SHA256=700884FCAC30014CEDD777D0392FF9ADE2C2746194E4490BB5E4C4FB9205AC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.955{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18ECB4D0A0B39AEB7D6631F3BB90590,SHA256=7655348003A6141B13CE8F1F4B04BCA4B32DA5C3544767E59DC00D0C1128EAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A263BEC4A6C9007EEEF149F5976860FD,SHA256=8C070766449682925B2215BD4CC9D6EC3FCF956B2B0ACA1054E32C667E9CBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.596{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326B2668DCD8DDDDCB571325E7A3EB3B,SHA256=A8F319D828CC0D9F5F6CD32A1F2798BD80D63C959BAD5A2845F4D0198EF8258D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.642{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48850-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:02.562{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48738-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000295838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:02.908{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50825-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:05.904{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E5362A4E87581B8518928E35FB760C,SHA256=65B4B7108063D563651DA5AC31231C5A948AAA5E793F16F2EB73CEF20D84DC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E9133FA3C30A45FF4BB0416718EA0A,SHA256=00A20E865D3614CF6874BCE2528C43E033843B226F19EE3E9E936C51F2092113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:03.053{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50825-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000295839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:06.904{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8A757728290BD8C75E8A2244519741,SHA256=A3161A3F911C772F842B60C916AEB0AFD191F21066625C1D1054199CF8E6DE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:06.971{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B0AB7ED5379B7CEDB1DE51649E5ACE,SHA256=4A1E937D1C6EFFA0709D9968C9B6EAA15B270A32FB9656A42705BF8990408584,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:04.255{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50447-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:06.096{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A263BEC4A6C9007EEEF149F5976860FD,SHA256=8C070766449682925B2215BD4CC9D6EC3FCF956B2B0ACA1054E32C667E9CBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.987{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77404A8D0102CF8AD967E2745DD5A020,SHA256=4AF144C0CDAE3F91AE7D643399FDA4D121D9C478AE52DCBD4FDB60AD3D783A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:07.935{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41957DC78AF7FEAF7DC91126DE71BD95,SHA256=57C54B77416C945EF2BBA1AD36A6F55184AA0E03373497FAC6A4E83B9791914A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F868CCEA998B0B131B9CECAF41FA70,SHA256=B9AFF0B0F53ADA2EDCA6199C57AB55CF2DFD963AC2B63AA81A24CD280DFEB586,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.648{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:05.645{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51825-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000295842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:08.951{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFDD81AB43DCDBB9C18D1F5016C31D3,SHA256=A3989D6FAA234BB9BFB175A0605B3F8FEBF6046E178E57D09FD7400C6BB8851A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:05.363{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59137-false10.0.1.12-8000- 23542300x8000000000000000258878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:09.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BFB9C016361A2E6A0106D1839ACBB5,SHA256=6DD1E9F360491BE7E7E7BDB29DA5D38047690474DC46F80F9055B013A3017925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:09.018{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A810BF9B956449D052CAC57E4DC3756E,SHA256=654C79D17BE196D23D1EFA94F642A6858CCCF73C77B5CA8D86F36FE34F43627E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:08.722{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55029-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:07.131{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53387-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.471{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74775601C2F0CCF1784DBA28E29FE94F,SHA256=73E5601CFAEB64815B0AA18BC9C5D09F5D4C0D50E5BCA6F1FE5611E8131AA674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4FA55A86B27FFDF5EDCCD3A41970C3,SHA256=6B83318E72996249088568BB27E51DA566D84BF75F61FB314C08E13C08464303,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:10.951{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{a92a497c-9694-68bb-690a-d0ec7946fe91}\Root\InventoryDevicePnp\swd/mmdevapi/{3.0.0.00000002}.{6c26ba7d-f0b2-4225-b422-8168c5261e45}\DriverVerVersion10.0.14393.0 13241300x8000000000000000295846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:10.935{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe\REGISTRY\A\{a92a497c-9694-68bb-690a-d0ec7946fe91}\Root\InventoryDevicePnp\swd/mmdevapi/microsoftgswavetablesynth\DriverVerVersion10.0.14393.0 23542300x8000000000000000295845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.326{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FB419142DB8FED6D65D7937784A1E4B,SHA256=ED026695E8EDA18736168485352BCB2B8FC2E5C01578D40001B46AA9378A5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.326{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F30E9D63BA7418CF480079823F2D91E5,SHA256=EF203F4FE88499C9EB4B48C22B3400024EEAA2121FA1A72BCC1C7F6B011091BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.013{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625B69B720617BB4F4023C4256B6376E,SHA256=DE3CB0FD2B01E9A639313415D8A09A927F8377709B44A909CCA982D4B57D6D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68598F9613AE7BDE3964F0E069605359,SHA256=F3B4CE2ED17EBE45250E9A9C6D92D02B4C9BF05055EC40123D59172085F558F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:11.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B0CE47E33D0CDD8F5D0E4C19628264,SHA256=3796B849B3E3461F00EC920FFD623D8A3836E49F10C99C16D8DDCFB3CAA72DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258887Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.695{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50827-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:10.159{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56477-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E941DD3586C7B047BAE3C5EE1432A928,SHA256=6398FAA30985CD9F0882EE5712E8426EBBD7127EF9ADAC5B825A51784A4A4EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.158{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420B0C4B9158DBEB1A934371144FE908,SHA256=7BF8C7603B1ED0AE794CA41F5AB092D435068F2F7DB4983DCB224E55110166DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:12.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8CC5E8247233068E078AC19BD43B5C,SHA256=A6D78CA6E835CE8C4DAF63930F5A94E2229FB74C0E00AB5CE32C9B347D12045C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258890Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.893{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20892F053E16B8A27547FDAB25A5C12C,SHA256=10DC2966E98DC393C729560EF3D718933A13A7706009BC4F7F276D84B9445D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258889Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.385{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com15474-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258888Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.174{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CF4F44B4C554677FA9D2D80D2A0BC6,SHA256=07A947AA4A0A604B44E69A671FA5B4A13D543DC0AEDCEBC68AB56A72B23A3E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:10.472{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59138-false10.0.1.12-8000- 23542300x8000000000000000295850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:13.044{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B7F325A5814A66ADE87DE51C53D4A9,SHA256=C3284A967DBE3ADEC42E2587CF6EB3C728C1A63935A87CF0F5810902DA362E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258892Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:11.754{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com49907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258891Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:14.190{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944BD7E9BC768464149451CB3F90BF96,SHA256=9FE8D98353D11DBBAA79C638C8E269FEFBA4EF2F31AA324243DBF5491E510900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:14.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0DFB0F623DDFEDD69E303E72C210B5,SHA256=37F35FEA37136AD88D91505BFD351E126B016EDE0EACFD3AF7FE8ED851F283AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258896Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:13.481{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59876-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258895Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:12.068{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58328-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258894Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:15.299{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00FFF62F1F10B3102A9F6E966A9BF51C,SHA256=96880CFE3C3103340614AAA844C14EF93FC29DEB163A9475B0C915D98E027A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258893Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:15.221{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C100EA7F4D6F5144B7B08E618DDA64,SHA256=CED78C592269DF573CC675ED7C1F3D814CA9929F3C1C2A578585F852F60432A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE015C44C0073A43A4AED2CDBD34C83,SHA256=A1E8F7C2A4CDB4B4A2BE446B7D8F09752A36B864B85BB8AD30E2C772215980B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000258898Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:01:16.674{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebe-0xdab09feb) 23542300x8000000000000000258897Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.252{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C65A7266AA94865077CEEF5087657D,SHA256=55916917917B2575895C7E95C92FE7D9A98E48C9E2912F87F28243785984CCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:16.076{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E609BC5779672BCA978B697E3EC460,SHA256=386924D02BF6EFA82F2A0CE7AFE8E7D4CBBC7DB57077EEE2B62A2E1795CADB9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258901Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:14.949{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-2366-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258900Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:17.299{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1997DB90D0FB5955B823B2C663FDB8DA,SHA256=2FDD1BB4E4C88FE95541EA45C972D1A8B3A2E74793AC71864242AC1AEA0FCDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:17.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDF64D587BF166C5ABE0B54E31604B6,SHA256=3A6F22FF92195DEAB5015A2CEFE4ADE05E86BEC88CAA2635101A90675BF6E853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258899Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:17.033{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EAA3CE83AC43F11BF31485CE34AB6B,SHA256=79DBF91836BB31A9E3030A743E2BD61C29FB34669F3C1FBD00602E83A956EDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258905Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.132{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000258904Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.132{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-917.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000258903Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.580{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9F961B74D0A162E47A12A491C63D2D,SHA256=BCFB1DC0DF57F8C6E8A5E50243C7C87E5AF3AAC95EFCFAB90AB440DF19749571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258902Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.330{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69774380DFDBD98E238486D41C44676A,SHA256=5B3F7777C9B6714EAA8F6A2B439075178442775D1EAA2BF006E4CC36269B17B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.987{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-966.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 354300x8000000000000000295857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:15.566{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59139-false10.0.1.12-8000- 23542300x8000000000000000295856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:18.138{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9765D2556AA495E0584BC9FA6426211C,SHA256=22154C192BCCA71DCDEC6E1BD5C248813E139F79AFFBF4A38993D051A2A0EDA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258908Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.648{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258907Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:16.586{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4061-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258906Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:19.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F531516D96F7622EA8B94BE70F5167,SHA256=B050B894F7D6B3E37E3E5814192B8A3D901359332EA5600C1B95E63014DF61D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:19.154{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FF9839D536FB435C658450D40D39EE,SHA256=3343C5D2C7F9E90B5DF7A6D7916E077104E7A39648A782001155F88A3C7FD069,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258924Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:18.179{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5689-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000258923Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258922Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258921Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258920Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258919Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258918Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258917Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258916Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.877{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258915Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258914Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258913Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258912Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.861{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258911Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.863{C189DCE5-9150-6149-1527-00000000FC01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258910Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.424{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A845F0BE745B4F0319289558E73FAE,SHA256=24604313C0291C4C54CC3BF37EF20237A00EE6A56348C29608929EA35CAA3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:20.185{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5432D5BB00ED59A8183168F7170A9A54,SHA256=39C2D50B279B853094F5C2B26881191A344E00303BEB75392A381632599113A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258909Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:20.049{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E092FD12D0C2C71D4984DEE48D0417D,SHA256=7BF63EF5D10F86E3D2C610ED438F14ED8B5BDBC6BBED5C1E59B38480A705C9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258940Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258939Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258938Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258937Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258936Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258935Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258934Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258933Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258932Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258931Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258930Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258929Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.549{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258928Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.550{C189DCE5-9151-6149-1627-00000000FC01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258927Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.455{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC7416DC498E489B37FDB33FD18BBF9,SHA256=41A1ACBEBB48C21AB247DE660EBE698FD77EBBF26B8A95C5F0B99B1AD7804904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.201{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6372F97670634886C64040D3DAD9D47,SHA256=45CF6D685B3110FD40094D4CEF415F4676A0492302F6E539FB5CB9CD6E6969E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258926Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.393{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4390124D8EA0A82DF106BF4CE3BD3296,SHA256=2E67C63C0F2F6DE8591C26FCFDF0F012CC3CD7906074E8DE89819A58C32E3FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258925Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.065{C189DCE5-9150-6149-1527-00000000FC01}10162520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258970Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.877{C189DCE5-9152-6149-1827-00000000FC01}24883736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258969Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8624DC168BAA3A92D0E2DCBAFF71DC30,SHA256=702FACECDA189B3EA69FE3F7A863C1F127BB26AB369D17F64F72BC573CB3424D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258968Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786BBCE0D3486E58907F5EBC0754D5AB,SHA256=FBBB4A25A593F4AEC172FC2145A657B5ACCE59F376A61ACECA076B5FFED24186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258967Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258966Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258965Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258964Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258963Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258962Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258961Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258960Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258959Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258958Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258957Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258956Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.721{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258955Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.722{C189DCE5-9152-6149-1827-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000295865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000295864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Config SourceDWORD (0x00000001) 13241300x8000000000000000295863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:01:22.670{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\613C4DCD-0611-4E95-B870-A6B03FE07762\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_613C4DCD-0611-4E95-B870-A6B03FE07762.XML 23542300x8000000000000000295862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.201{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D332114A4D5415555AC745ADB93B7EC7,SHA256=F5DA2D50EEE5F271FD17D712C3FEE20CAF9DA15873002AC5C28441C425CE4AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258954Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258953Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258952Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258951Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258950Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258949Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258948Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258947Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258946Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258945Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258944Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258943Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258942Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.221{C189DCE5-9152-6149-1727-00000000FC01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000258941Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:19.600{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7128-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258973Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.763{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EA40A8E433C31FE2A6C8F8261B75F5,SHA256=0CF45E7568F23C34DACBE522868601763F4225811F0DCC2E94976D14AB8E12F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.331{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59140-false10.0.1.12-8000- 23542300x8000000000000000295866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:23.212{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5A12B80F6F3C512E2AFB0A913ABA80,SHA256=16F3FCB65C2298251BEF5BBF7D857958DE763B3F6CDC11EA6BD740A68B4D8C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258972Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.732{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1B4199E842A2EF3C74E209A7BE51679,SHA256=85812BD7F6798FEFD05F78E449FEBD07518554534E98CBAA5DD6D35A66713D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258971Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:21.003{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8612-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258988Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.779{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E282CC6683411C9D2D46DB4954B528C,SHA256=D1F469C1C654EB1C63B2955BDDA11ED3C011AF8462C1B7AB347CD5153921C36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258987Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.779{C189DCE5-9154-6149-1927-00000000FC01}38681032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000295874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.009{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59143-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.009{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59143-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.003{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59142-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:22.003{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59142-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000295870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.989{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59141-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000295869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:21.989{5097E253-484A-6148-2D00-00000000FB01}3024C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59141-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 23542300x8000000000000000295868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:24.212{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B356ABAFFFCCDA023566ADB35D24B6,SHA256=118FFFD84DB21ADC44DB90C9EDA677464A80F7DC47CF36BB170D80AA3A044035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258986Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258985Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258984Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258983Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258982Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258981Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258980Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258979Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258978Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258977Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258976Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258975Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.607{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258974Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:24.608{C189DCE5-9154-6149-1927-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259004Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.810{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428E76B4844F5C980DDC77F48F1DB7F7,SHA256=349F020098F5CA9B78EF0B4C9C4C5AB135C199C9360C90E88D3503F324BCED53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:25.227{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D046E28EA0282F10A28F7DCA47471DD,SHA256=092BA8A6689C9C65E45674DD03578E2821F0646F080B49F1FCDB792EF5B35B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259003Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.669{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F143984DA6911CB219A2542E56B21415,SHA256=5B4293F8F4EEB3CEF71C46BABBEC5FC7533CFA522AD97D47F2BDC94D805DA46E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259002Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.466{C189DCE5-9155-6149-1A27-00000000FC01}34802760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259001Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259000Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258999Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258998Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258997Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258996Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258995Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258994Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258993Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258992Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258991Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258990Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258989Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.279{C189DCE5-9155-6149-1A27-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259021Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259020Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259019Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259018Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259017Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259016Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259015Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259014Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259013Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259012Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259011Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259010Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.841{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259009Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.842{C189DCE5-9156-6149-1B27-00000000FC01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259008Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.810{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7175209B3EB6CD5FF854D97F8FFDB241,SHA256=27A5DA55EEE1CCD3C9D4F128850ABEADE8F6687C8B6B9CA8B827723F351B0A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EBA8DE2E4E6AA92CDECBF4DD7B8C5,SHA256=F1FB956B171BF22511C47353837837EDACAE86962150C84E34DDE2382269D140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.903{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.903{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.900{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.899{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.897{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.897{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.896{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259007Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:23.898{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11539-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259006Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.581{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259005Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:22.475{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9995-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000295951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-483D-6148-0F00-00000000FB01}3002352C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A6FE3E7401E8B65B2DAD87B3F5A89B,SHA256=8AE83785FFBDC25F32A348AD6CAEB053B499AD3261E16BC8A9EB1BDF7751F55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.774{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.759{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-483D-6148-0F00-00000000FB01}3006752C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.743{5097E253-9156-6149-842B-00000000FB01}80885488C:\Windows\system32\AUDIODG.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+1665|C:\Windows\system32\AUDIODG.EXE+294b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000295910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.712{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\audiosrv.dll+d70b|c:\windows\system32\audiosrv.dll+d080|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+d05a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.696{5097E253-9156-6149-842B-00000000FB01}80887128C:\Windows\system32\AUDIODG.EXE{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+123f3|C:\Windows\system32\AUDIODG.EXE+15dbf|C:\Windows\system32\AUDIODG.EXE+18297|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.681{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.681{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\audiosrv.dll+17a8c|c:\windows\system32\audiosrv.dll+174ab|c:\windows\system32\audiosrv.dll+1767b|c:\windows\system32\audiosrv.dll+17431|c:\windows\system32\audiosrv.dll+d02f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.665{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.259{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268231330C3E65CC1BA58F0C9C6C7F11,SHA256=9CD0D1A1C74A9BE81BF97140E473666C7BD2C4EF6D0C025F498559EF9C3B326C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259023Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:27.826{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFF5B71714198D0BD62DCE3A3D037C7,SHA256=08957A05311A5D78547221E4C9CAF274F6976DB7072BA14B1E50AAC9461577DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.885{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.884{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:27.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5854DE29E6B259589C4C982BF3F05F6E,SHA256=8CC6C431E67506E78D9AC76BB42A6A4B2BEC4F0D167194E4B072B04226401A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259022Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:27.200{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01BEB80C05227287C5E91493701B83A2,SHA256=2412231AD84B03DAB065BABF4D7348513A453D3655FB99E3EEBAA68631DDB45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259026Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.841{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB48E24F6F8B5ECC8D5E3D26F36FCF95,SHA256=18E383F565EB5791545E532995AFD7757F593D4B96F4EA50B5FAED1A19937ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:26.499{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59144-false10.0.1.12-8000- 23542300x8000000000000000295972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:28.606{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=73CE7C9D78133165B9D980BBC89E7DF5,SHA256=FB9FCC2797B345A3BA1EE09C5BA3FD3FB7C4302A0C815C05AD5650B93492AD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:28.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79F9D0039E99689981194CFD128DA1B,SHA256=EFDB9C92098F68E349B4B6F6C600D57CC8AD5A4DA3FE6C394390FE0FFE1E7C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259025Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C4032FC7A00453AB161661F6F76D8F2,SHA256=483A755383CA738D187F1A9F5C8D0ECF744EFC852F22B7C155C8B53DABEE6AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259024Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:25.321{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12949-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259028Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:29.857{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66E2E38318023D08D451A1DF9D30E8D,SHA256=AADDD5C38222561C30200F3F97F5FBFF48DE2146FCB452B5DE511774CCDC4B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C47AC72F7FBEE8F2DC266DDF04AB7D,SHA256=E8456F16A2059F92FA9B063479F7260384225D15875C89D947D88B1F03D76803,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259027Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:26.775{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14428-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000295975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.134{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:29.134{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259031Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:30.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F033825788DD6C316E0C05C43AF2FD36,SHA256=90AF903B2B98057865F38624B2FA6286B6CCC70497230FC67F9EEF9DDBD9823D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:30.274{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED6A8F9D0B357217BE1D39DCA1C376,SHA256=992BADAA17FFE578F35D285F3863320CCC42E9F102FE1CF5C343CBC7DAB9B0D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259030Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.181{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15936-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259029Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:30.091{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EF32CA3A6E7F30DC14A9EF95586FCCA,SHA256=96F454BF0FE0C81BF043E3A6D1B4C0865742EFC6B9EFCEF06F8E769828B78D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259034Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.903{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895D4D50F3DDAD2C6B7B114BC58E60FC,SHA256=217854716A31D3FE526FF6C1F5F43730287D7FFFF10FCF10437EBF0DDABD85E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.731{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1368MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF811A1BC363E21D6A95870E300C08A0,SHA256=CF5EEB967DE29DCC899D7229D08B412E975C22CB8A66A63CD0B64B3D1B48CA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259033Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.482{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE1E0EB2E1FA9CC00713AB966CA0A49F,SHA256=EF441A71E1E4708DB804EF8C8C1B1D71B8AB22DDD4C76635C1736F8D9EA9A424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259032Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:28.581{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259036Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:32.903{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B309FF40DD8F86CFA1A99B1C1D7062D,SHA256=35C163D15740766BBEE3E426CC0A5F10B87534F8C9264C1795364ED547A51255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:32.746{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1369MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:32.322{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4DB8FD06162E2424EAE0D212E5A116,SHA256=F044E94C6C7FC69B92A4EDA0A70736A25D4BFF528BA7B377D9600A33EAE997B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259035Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:29.663{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17320-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259039Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.935{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66669C62514433D95FC2A78620466967,SHA256=1E375B6D72C0EA11C2DAA71DDDCAD002D65EF2D187953FC893C846BB8BEBFD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:31.562{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59145-false10.0.1.12-8000- 23542300x8000000000000000295982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:33.328{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16340BBC75F8FF951CDBE63409722AE5,SHA256=55694B6EFFAD552518D4F5B51C68921496F1FD278881654DFC7E82844A4EBA12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259038Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:31.143{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18944-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259037Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.013{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B2BCEF0A9DA87CA59051ECED88F0585,SHA256=E7387373CDE801C4F36D4DF2AC0BD8024912F9BDFE9C9E51F19164F82A9483CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:34.344{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175EAB4DB03BE509CB2E9D5CE6E807B2,SHA256=3ED122E5CBB05D7D6C36424B34041DC2ACEDDD6845E868A185CBE1CACFCB6608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259041Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.575{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7BADA264F37F14FB4A091B866312F0,SHA256=BF2914B3C442500D232E523457B924D5C9CB600EF44977B2D1D5DFD579D98613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259040Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:32.565{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20325-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000295985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:35.344{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5708D4966A10D6A63EE0C2658ACD33,SHA256=1AEA17A082E984D2DDC5E8CAA85CF2A0A932C34DDB36BA7F1B9D98C5287D10CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259043Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.669{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A49C125855D859B59EF387D8687AFE5E,SHA256=798057DC90358AA5D8E082274C9BE8065BEB690D384332B52E8C61E6A1684F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259042Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.997{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5055729A88ED89D118A5761BEF08156,SHA256=239D3294875DAD1D48486A45393CD4A942A241C4D87DDCF28C3E6FD9FE6BC1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:36.360{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F384A0DA62E3AFED26B56CF37FF11DB,SHA256=21265D2A78854F8D6E0BCAFF6779AA1F17698A158C7AA4690D1A70E2CE5F1F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259048Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.156{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21974-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259047Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.050{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu55859-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259046Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:33.329{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com65029-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259045Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:36.231{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259044Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:36.028{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD82A00A0775811FA0583497CF26B1E,SHA256=1CC7AF9FC1EAD3BD7C19F7ED6BED2E7869A262C39AB86B8A261FD273B422B943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:36.329{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:35.631{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59146-false10.0.1.12-8089- 23542300x8000000000000000295988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.375{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B9AF6B794736D69F0C4E509E2BF60D,SHA256=EB508B4323C8761AEE698C52BCCFBB99D47F273F57B5C301E7328F8D7C01A8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259053Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4EB70C7534198694E3F8188F6479B12,SHA256=3359C1FBB2DA4A433967E2831CBCD8CFA68E46ACA2E7C9E82FF3965970FC74E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259052Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.690{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259051Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:35.684{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23373-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259050Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:34.596{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50831-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259049Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.075{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A39A20D0A0D9A6F04574BBFF8671A9,SHA256=1D92AD870E7FF29BED0D7350180C99389BA91169EC1FBB893AF7723217A75A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:38.375{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A53726BF9B35580E0FF8CD98650A625,SHA256=916CCD8D2696ABF19E1D1DC33532ADBDE0C1FEA94BA975E9BF23A5AA98B31CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259055Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.843{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1360MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259054Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.091{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB55927BC0C04334E9137DA389BE92B0,SHA256=F9E656355ADE6DA5CE9D9ACAD77E8A889C3C447FD14683E4527DE0E288B455FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259058Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.850{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1361MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259057Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.130{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD02F9D87B0A16959A05E6587CE1D99,SHA256=7B2AE61E381D4B76663047F155BD332ADC36A05B3A7FE82845EF2025D7E33B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.851{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-49623-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000295992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:37.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59147-false10.0.1.12-8000- 23542300x8000000000000000295991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:39.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D88B912BBC9382FD71A3AE6B931AA,SHA256=F20B578503CD1E4777B4F115FF253D3EDCE0A72FE45CF5167DB64AF2609EC49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259056Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:39.114{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70F3F8D2DB45CA316F4ACEFA0DF5523C,SHA256=8DD3DCC9AED6974E4A4EF522F8AAA8BA42F8AD0402046B234E437F52273D10AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:40.391{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF4421667C452B49E4B18B02726D858,SHA256=CD96FE111A3423B29E4E099498ADE76BC386C71770DFB7CB5B3CE7C5043DBB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259062Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.616{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBCE29A8B8B8B4273BF69E751A97CA7F,SHA256=EF3C9EEC1E7E45C1744453C773C98AC4326FDF7BEEAA97F803EA61514A673C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259061Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:38.734{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26577-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259060Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:37.278{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24977-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259059Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA48000CB31ED9DD6470DD76E6353157,SHA256=EF14E951D67D15F00DEAA0754B3B17CD8208E75A630E6BE114408A097CB693D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:41.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5705D6CFF624D6E392D2860B10D83F42,SHA256=1E554FBDD8A844FDCF00AF1CA291D06860E691A63F5745D6641C1F5E04E03A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259063Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:41.178{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13620CCAA9F0D4C29EDA81192195C9BA,SHA256=66E24333AFD501D411873316D9DA713479A65375B8248513149B1BD0AD70F029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:42.422{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D609DD1494486B220509E51CFD41440D,SHA256=CE8AB021D8AE60CA0331BDDDAE5A70308B78F98258917147E7D3062B77D3CED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259067Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.606{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259066Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:40.188{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28005-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259065Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:42.194{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B873C489EEBA6A0086F6F9FBB53F544,SHA256=F5FC460B8313985EB98CBB1326603FCFB2229A51D12B453A953D0F30DE36340C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259064Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:42.038{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F17D5AA2D703FDF3EA3D073E45D2125E,SHA256=A566FC9745C5AEEA13015EA49EFD908874F36EC343030B7E75D4CD36E03782FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:43.435{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F90EC92BEE8DD02BCA46E6C8AEFD5,SHA256=2112E72C475AD520874B1D809DE406AAADC0A0E105CF9BDE93BB9D0CF802D175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259068Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:43.235{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F72C6347932C66745EF1F418FE97FC1,SHA256=E5878BA993A6ED6ABE1A21042C5A5808C42F8BAD69258A184FD6FC13CB6A9F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:44.450{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E28792921CE79EF514CB2C8E678557,SHA256=DACC8EDC765423931DCDFBAE9AE5247875DE7FC6F3AF98C68F020A59111DB881,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259071Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:41.600{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29587-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259070Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.267{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4401ACE00F9A451C992A2EA8009EA5AB,SHA256=DE557CE481DFC1A61069947E07B45D7AEA216F129B3244A6C3C026B6C848990B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259069Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.017{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD88C7C36E1D52B1D7DB82733CEC0471,SHA256=BEB042AC876B79FF111EFF55ADCDCBF35AE55529F49BEBA9B361482A8B1312AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:45.466{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936DAC878D519BE699F27AE7AA9762F5,SHA256=69001A511AB6717E8BE09209939CBFE4F8244C7074523D53B68C9013E9C8692C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259074Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:43.588{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31400-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259073Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:45.392{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912D9F29F44EE9A7D22C2ADEBA03CB8B,SHA256=AA3D54B764DD874E0B9C167F9F38EB16308E781EF7CD71DAB8A8FB5EE8269DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259072Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:45.267{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8581772694A71191BB451468DFF554E,SHA256=B8F27C39DCE4458643BA17DF13CD739D78F7CF6DAB4B6B029242782E53E1C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:46.482{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26821E96C64AE5DB6F9E8928B5C78613,SHA256=39D0EFE7005E6252E9AC89E19828241487C995C99142EF11D8C31B29E07B0B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259075Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.282{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3B03E6A61DFF6D2529CDE39C02A696,SHA256=FDF8CA31C1483FCBA07D9F44C26FD5362A35B1CCA19A9E9378AFF7A2C502B67B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:43.440{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59148-false10.0.1.12-8000- 23542300x8000000000000000296002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:47.497{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93767CB1EF8679F7F0BA5C5D55D86527,SHA256=7588DC81E40D774D5436407CFBA4E6B427E59B4A2A7885C7F9B2BE94F5B2650E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259078Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:44.995{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32978-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259077Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36FE84069221067391B1B7C2F6FB57E,SHA256=2830E23C743CB97E7B8B6595A4864DCEFC49D4F873A19BFE7D69F561FA2DE93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259076Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.065{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C07A6833E0F10F745D35F3D922FAED0,SHA256=0006A1ED488234CB3FCE42F910C49B252A603962699848114B11A1ABA19EA459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:48.513{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1948EEC965BC1B5EC12BBBBFB20BAC7C,SHA256=1D6D627362C08208A0C34C9092BE2B7C6F93E679718FC04F15A7459B173174BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259080Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:48.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50754FAD3A4CBCAD55CD0892F3CBD0AD,SHA256=6E352E2CFAA9BF937986C4A513D6A9FB8A086C2CE5CE58FCA163C34B584F2091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259079Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:48.313{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69BD4D1AFBC7BABAB56286014A46106,SHA256=B7E391C168C0E63314800D320713C4E815C71A784C0977577F9824C129DB43A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:49.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3221E38A57C1A38E45FE9B58FC4F2D7,SHA256=CD8E4F5913144DB3B1E5F0EDA540F4CB06E926E6640E0669B2B84BBFD2CEC74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259085Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.845{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94E6185633609D99B3872CAF252DB442,SHA256=88403FAE9361FE0C1A1F4F1E8312C47E59F8CBA20F970BD0AA7CD0CD861DA4F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259084Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:47.959{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35915-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259083Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.647{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259082Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:46.616{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34392-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259081Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.329{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE16428B1857255698DFA2FD78E5B1F,SHA256=B81DB8C686C6B71CA564FCEA9A553FD83FACD9A70C2F07337AED6D2E0F1FBA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:50.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F56DC5CE0BFE004CC16C53FA00F7C7,SHA256=1FE88853BE27322C222F1836693CE73675D6E2B825DD949E1C35978C34584FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259086Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:50.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4748AA8955EA4E5B0DCD199CC08B7F3F,SHA256=DF9C5E4D5546EA3857F2B5656A71436FB28753371C79079FFA00BDF09A3AC02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:51.544{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CC37FC4D7484546A935CC2FF5FF56A,SHA256=0FFF5EC1727EB357AACF1A1C78D45FBDC0553B677FCE8D6FBADE381B99A44DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259088Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:51.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1B1D5713820E8D19FAD953D055C9F4,SHA256=84955235679C398ED141130BD8A6CA8C10052308CCDAEE7A11F015B61F3832A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259087Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:51.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E17B3EF260DA6C60DA4A0774ADB56B5,SHA256=4CC35608DA68DD7D08B9CA56542F230B74CBCD730CAE400C7483EDE9F92A5061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:48.581{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59149-false10.0.1.12-8000- 10341000x8000000000000000296016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.576{5097E253-9170-6149-852B-00000000FB01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:52.560{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF35B4A81AC58BF07D1310CF70EFE96,SHA256=DC550429CF4A9C07799C8FC6A60A6C89D1B08F594E9079BF67315F5D875953A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259091Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:49.474{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37376-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259090Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.688{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E69DB68990C74D1F1E95CD3C6CC7A64,SHA256=F9914BB72ADBDE61383ABE5E10E814D2C44B84F3A57304FC0D2D1D05B88CCC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259089Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA9E8DD64E4A6372A69E80C3785FAF,SHA256=F3FE2C38F3DDD298FF1A7CD573DB69B9D2BE7BC599F6F4C45A1890DD1B21556B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.919{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.920{5097E253-9171-6149-872B-00000000FB01}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.576{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE37745DBEEF821C60665EE6E312C12,SHA256=8E64AE44494CE58D98F3E2FD1A2F985B55A71E906A6A95C760218E3B46E85757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259093Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:50.925{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38878-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259092Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:53.360{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AEA1F90D33BD17B1D688F0C73E3E5A,SHA256=4B1832BDB7B6F16186666E9D553896BFF032BA7D4BB1BAFB965907550555B2E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.247{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:53.248{5097E253-9171-6149-862B-00000000FB01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.732{5097E253-9172-6149-882B-00000000FB01}65806368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.592{5097E253-9172-6149-882B-00000000FB01}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.591{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A7E808912FDFCC01394810A638A5BE,SHA256=4C5696143936B4B7F0DACB9B993ABC1906C2318DA09E6AAE665276120D8D14D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259097Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.538{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259096Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:52.317{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40323-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259095Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.376{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A6954C148B34BC0EF5FCD706E97331,SHA256=8A327F4C59B17928D02DA1246C5EF09089B9D840A4DF2B13351C5E0BD21493AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.060{5097E253-9171-6149-872B-00000000FB01}13645296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259094Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.204{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E64FEB622C4DD64DCD4BBBFD00003786,SHA256=3B9384B3FBBD1A71184A193182C899F441395B592C6448A89DCE3C007177CDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259100Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:53.818{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41842-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259099Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F36AEC9111DC5B91F8470A70FB6D76,SHA256=2AE3BB74BDEF9E94EB49D5F69B664B3531821DC6C885C8380344C3C929427572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259098Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.391{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE140358FFC4D129CE4016940F33312,SHA256=E5AE8B13A867B2B2C3E7410D7EA40940A92576DA7C209AEF52B14B4C4310EE3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.919{5097E253-9173-6149-8A2B-00000000FB01}7206788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.779{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.780{5097E253-9173-6149-8A2B-00000000FB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.591{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FE682E52A2B3FB36B42A2F20B495DB,SHA256=6E5A37F7272EF63971931BBE936E682B23194C63D02DD3EA2CDDFF516BB76A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.435{5097E253-9173-6149-892B-00000000FB01}42921496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.263{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.264{5097E253-9173-6149-892B-00000000FB01}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:56.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C6D52AC7F66FBEB2032FE7D0633C34,SHA256=B799C79545C34069D432C1BE9F2F5EFFA267F30584D0AE5FEBEE8DB73E7BC4AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259102Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:54.331{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com63879-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259101Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:56.407{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F86CD146DAB4A225FA13DAF16549FF4,SHA256=28EC827BB6606493889BE42CD3E3E9CB273CFE3DA3D83918E019F88E64F8DBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:54.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59150-false10.0.1.12-8000- 23542300x8000000000000000296066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:57.607{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4768C0CC907FDE9E3F4FC0E1F6051B8,SHA256=9F8924670351F8E34671DB626F81B81CC9BADC392C9DE7F0A63D683A247847B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259105Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:55.185{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43266-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259104Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:57.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F134B4F380336459E7180438A5AB13,SHA256=0AB1A8EE7BC88F9EEB76656674D09F3688EA193105E327DDA34F76CAF8137CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259103Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:57.079{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=823C7E1CE2C805244179EBF7C0DEEDB4,SHA256=579BF32C527F252E7E47F835E45025AE7AA6D542E4665D9B4F9D71ECB87A9FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:58.622{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA94BA4C24973409B7D7905DBCABB2D,SHA256=14847C0C38A3DDA36A0AEC9EE5B69A9AA77699A82CA5D78032A04FAE7E99404F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259108Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:56.799{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44884-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259107Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7000D1BC0996A9A58B7FDBA86AAD216C,SHA256=362995561FCB4631B48EB3736D17CDC12D235C758C5A1BC9298C4A42C53BE303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259106Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.438{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB06386F0CA5A0023AB5CC08381E56,SHA256=852D302749238599E33459F60782EE5CC864BB4D959788077E3D75B73DF4BBE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.816{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59151-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:55.815{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59151-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000296070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:59.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC0B0D4954F2FA95CA550831BDC59AB,SHA256=05FB3D166475DB9E09712D0F7E843CAD4FDDBF03463A856A4A25E760385848F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259109Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:59.454{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24755A56C40520AA657BA2530E9DF916,SHA256=6EF0A03C8F1EE4551F5D8E8F836D17F6C32739C755A2E00CCDFF4FE574B0D070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.638{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD764E2E145336F8570A5FDE76C8C1C0,SHA256=86918F72F8D882D3DD14AAF3BE086F84CD371B700B8CAE787A139E10CB2E20D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259113Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.569{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259112Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:58.240{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46334-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259111Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.469{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1F5DA199DEA6E04D34E8B7BD09B375,SHA256=D2877D7372AE3EB108D0DD2A079DD28C73FD5B419C9ADEC8270117C4C958CFF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.029{5097E253-9178-6149-8B2B-00000000FB01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259110Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.173{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D4503474ACF307F195DE9606B25AAE,SHA256=49F7D23870890E63B0CB508609AA909A54DA68DE89D8D760AE56A830198C7C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:01.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE244652B35627EA64F1EB9E7D565E3,SHA256=6C2C24FE5E0C4105C4C47F7194701A4099BF9A96EFFB42278E800523A24D371E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259115Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:59.813{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47918-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259114Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:01.485{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED42A366DCA1482BD59D10D7D8C38C7,SHA256=ACBE425613E059C69AB2E5397AB0F95839484C0D907B7DD2CA8365FB20D30F7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:00.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59152-false10.0.1.12-8000- 23542300x8000000000000000296081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:02.685{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13B89D24B489B66B8E57B0FB5687639,SHA256=0A1E3B771B0D60DDBEB7C858D598D536BD860FD80D591404F63316F481E7C03C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259118Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:00.163{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48287-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259117Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:02.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C04FD8C1680A6F8B2FEA8E9513B697,SHA256=9330C5EEF069F5DF39E42280E0B65FE79309DB64A55C57FA3B6987B78A303B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259116Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:02.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351D702CAEDAA5F671885145F5FD73E1,SHA256=AA51CEE8C16D055A179E392E5DF79215E0F90EDA9A621A0E8D5DD6F66D4ABD32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259122Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:01.569{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49814-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259121Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D79E49C4265CACFCD36EEEF9539CD1,SHA256=2FE9E84857E184E4EC223A14CFDB8B69B59DBCD50F862B0873FEFF04A0830445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259120Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5A07D31E6C726F4AD1E1F975249CDF5,SHA256=0968855F0BF3C4F07EB6DD3F5FD79EA04A8DC26792EC84621976AF4FD2D92B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:03.720{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D83DB298426A172C88DFF2E9B408E,SHA256=FE3271CC77844DFE2DC93BBEEBEA19CE0234D1C2FE2F5F03DEBF01E89B1AF05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259119Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.192{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FE31B5D2DD9268459D9C6E82D490B1B6,SHA256=D13E9F91E88827389B971F50A1B0F96CE5F48DECDE035CA517936DDC2F607F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:04.736{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF11B117C70F4EFCAC08BC04308EF6,SHA256=B4A81547B00648D899F0E85C95185EF8FF07D38314837556E52B92AB4F7DF3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259124Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:03.118{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259123Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.520{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAFA541F42D6D8B91101E0E8126D38E,SHA256=7C1847EC6733F080EE8A79A2C3683987FDD37E624D5A74AD2DBCCAFE9B0C3236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:05.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D1A35AA133A765288E0061325725A9,SHA256=C6FC8AC5A5A1BBD2F8E67383E6B336CA2D3B5C4A2F7CAC4832E354718241BF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259126Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:05.536{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22C73580C5064029B115EEEDAC85CA5,SHA256=B7315BA7A57FBCC9A7444FEAEED653DF1CBE4DA77EE31C357E698379836AF8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259125Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:05.067{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54157BBF781F881683DCA31CAE332123,SHA256=8FDB68E6342FBF257822C76C95E4648D8F9C86306E4BAE22250020896024AB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:06.783{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0640AE32DA4426627F4F2167BD3FF5,SHA256=9D52AA25D4FE018E787A50AC20342A82E1AEA84334634B1AFDB60B1420C9105D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259128Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=937364D5BA37D0167613698B9418568B,SHA256=C5AF20D8244A7A9675374C27080EF3A5558F7CAE61F49460D4690663F7608BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259127Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.551{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A0AAF8D2698E02E50BAD3EE581F970,SHA256=BF22EE3649917D31B8EE3F36A301EF0B9C0D58DBA5AA4B7A304944E548D146F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:05.413{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59153-false10.0.1.12-8000- 23542300x8000000000000000259131Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:07.567{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F8733BF9C8D07EE181AD2E57DB0F88,SHA256=4B13D0A8C6929721248B4B8452265CA20D146D97A8F195856FF4E6981660FAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.732{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.730{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.729{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.728{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.727{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.720{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.689{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+30049|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+275e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483D-6148-0F00-00000000FB01}3001904C:\Windows\System32\svchost.exe{5097E253-9156-6149-842B-00000000FB01}8088C:\Windows\system32\AUDIODG.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\termsrv.dll+4966|c:\windows\system32\termsrv.dll+199aa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-9156-6149-842B-00000000FB01}80885488C:\Windows\system32\AUDIODG.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x2000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\AUDIODG.EXE+1665|C:\Windows\system32\AUDIODG.EXE+294b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\audiosrv.dll+d70b|c:\windows\system32\audiosrv.dll+d080|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+d05a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:07.673{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259130Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.786{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53007-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259129Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:04.557{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.871{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A497BFBA6F6BDB4B3F3C57A4C07BDE7,SHA256=E8121E3FED4944E69AC21D2E5F448DBCEB0F1C07D87E58807D82839AF19E36A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259134Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E07B54C5155F0A0155141C369676AE8,SHA256=FE124743B30E07CE0B2CE34B909A0C2D5AA6AE72730AE257B6EB8932A8634209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.721{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.720{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.228{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294D50ADEA436BE01DC8E884ABBA5D36,SHA256=8BC646ED42F22FAAF8B3B46C0D44527998716DCDB096F7A29FEEEA9EB88DA823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:08.191{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9A78069749CF7A2D47705DC5D24292,SHA256=326B9C944E20ACE15FDABD50182C66D66520DD4542804B3B0A3D9D0C907772C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259133Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.426{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C346801C23FE8C13248FD88B51CAE05,SHA256=FF7FBDF632B03E3097DA8E6F50C87F0557007A2125F8EAB7E2502457FFF304C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259132Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:06.353{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54615-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259136Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.801{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BE2DC793E434BFEF02B24BC7C4235FA,SHA256=9A266E1611AF9E18AB1C58651F7F56DD975C4FD8AD8783690A7B905248AD25FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259135Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.582{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF885DE8FB4C1AA6A7D8586BC39A1E,SHA256=38FE87347218A68E676AD4BFD24D6C9E7A0B90B0935678B5AF096EE63E792C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A44BE3D6E3761BC9F68109CFA15F842,SHA256=A5628B049E2570515808235B11209400ECE71FE07E6E5CC6B2EC084F2F4EE7C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.482{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:09.482{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:10.884{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EE4187AA809AEF4D144253F20CAE76,SHA256=4DC2C88CB1A3F73F3BA0B3CBE102D6E9C7AD382E3090DF66F7E7A5C3A46B532F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259139Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.380{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57818-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259138Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:08.001{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56295-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259137Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:10.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C28519E423B701B561D4C092E2A2591,SHA256=888160DE9760CF34F848F7A84D9269D868270F186A7D6F370AECE7812CB82297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:11.900{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1806675C38859116B74D5820F04F27B,SHA256=5F573E1AA6034709F69F403B05B2A380D0FB3ABD29E308A66300B7D05441E984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259141Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:11.598{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7504DF1AC5FD65FE71496A33A23BE4E9,SHA256=C8CEE393AFF1E2F949A61F2CEA36798EBBF14C030F887CAB5A122F351B9C8044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259140Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:11.348{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C094D0BCB048CA354AF44525A1208C6,SHA256=B4CC19ED4E77E1B33374C5B3EA0C3302E2A6F785A3AA633B63CEA1A878839A03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:10.452{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59154-false10.0.1.12-8000- 23542300x8000000000000000296175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:12.915{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF94BB535761353F81F0E4113F73C67,SHA256=44AB1EE128C054527F3EF62C994750F2E58C70AA25E61B7EB3F7E9B46B004372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259144Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.832{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9D6890A0CCDADEDC4CE08792F621B6,SHA256=71AFBDA2E25D13752DB95D53B66DFAB334A79AA9D943731C7F32028A5A235A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259143Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA223C538A14760CE4BB1EE0E30FDB83,SHA256=4ABDBE3D81C503F053E566519EE47FA93D023E3D70E5C2305D43EB1B954B25A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259142Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:09.714{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000296177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:13.931{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE3F2BD7CDD40288803C6AE7F83D84,SHA256=577CC13BBEDF398E155BA40BBC81304C360B3946A1F0D025CD872D2BD03C7C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259146Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:13.614{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4092BA7AE7C96B3242F95466F8FC2667,SHA256=E4ED9342D59349E1A94BB9C5BE3720D359FD15CC04CC1074D4CD3E81770BCF6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259145Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:10.942{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59347-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:14.931{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B0CDE08A0CDB319E2D4EE1A3CF51B3,SHA256=89897CDAE2864C9F08D569E74899C3021B607D809202C99221860D12FFC5D9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259149Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:14.629{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5459C4D6FB8326BBA627DB6FDF70631,SHA256=2FFEC05EB8674DD570D37FC21AF21EB388F49C34E94DA508428C57107BF2F861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259148Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:14.207{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B63364F5029FAF50E3965C8ABE2AB2B,SHA256=EA00C034CFF721A1E258AA9FCE9ED2DF22062B4F0D75AA0E96FE8F6609C98966,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259147Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:12.406{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1976-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:15.947{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1900D7504ABCFE536D8106E1313CE2A,SHA256=FAD788619FAA9A9D1D9C63567B7521162CB0EB1EE8EBA280EC944557E5DAFB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259150Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.645{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C7E288350CB074626D96C03431165B,SHA256=C4357B2D55D356DDDCB4AF02816F46D63ACDD986361BE8F408DC00A8E3D19A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:16.962{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7160A0BE3752F231CDD0FD31129BAE,SHA256=AD45A07319C190CCC2CD6401917A319706527C9332EDF5798F5608DD7BFA41EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259152Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:16.660{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE9F444942CB2162ABCD4645C02BCE,SHA256=C0FC17667A7B40B46E46E2678CE6F1E3A1A8287269CFA2CC98747AAAD62B437A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259151Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:16.145{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E98BFCA075255459E625EDD830E403DF,SHA256=94CEC3FD616E447173C202086564DE3A3227AC3AE571F2E2D47DF2CF638A8711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:17.978{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29359D5B571132C551FA2F20FAB2018E,SHA256=4AD9F89AC8E4B56EDD1184517E185AE051E184FC9C4B0226DC0F07FC7CEA71ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259156Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D688FA36DB497AD85A796416E956A85,SHA256=707268C3E4D2D8142416F7187B8B1C1D58F3C2C00D309F554E9D7F4AAAC4786B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259155Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.395{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2564D86C9FDC8A6E03BF4FA84D4D89E6,SHA256=D6E2B8BB24E0A6CB455F5C657787329B09DBAD36232AE3A844EE0B861A7250A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259154Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.479{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259153Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:13.901{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3436-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:18.978{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F372FBAA2B6CDD940151629FF53D55,SHA256=AA197DC28697547DC5042F061AF632B32B0D038E0CAFCEA84C8120AC7B7F8D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259159Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:18.676{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A91FF923F89B1CCD93F699F2A2EED9,SHA256=092A4A1B6EBC1DEF55BC5AD54C49AAA25C0B80C6B51A9C0D7CFF2CEC19F0A1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259158Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.778{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-5214-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259157Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:15.701{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com63203-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:19.994{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B53A2D587DB6BA30526D1BF72B48B4,SHA256=5E6686A4445265D45F9994F0049ADC0B0906959277CA9661DA8CD98734B492C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259161Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:19.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4B2B66BD8071A47BC0E4A84D3A44AA,SHA256=63783BE43188A98985B49F84327369F57131D804BAFB3F3961F6C66D546791EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:16.421{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59155-false10.0.1.12-8000- 23542300x8000000000000000259160Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:19.317{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB92F2173B3F6B07EF7ED914343BF987,SHA256=409D86C321AB6655C288C556E9888D6407CF416190BD9883D22D64D6FED2AAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259177Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259176Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259175Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259174Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259173Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259172Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259171Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259170Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259169Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259168Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259167Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259166Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.848{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259165Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.849{C189DCE5-918C-6149-1C27-00000000FC01}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259164Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.739{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA14A25A1E4F727248BF76F446830C2F,SHA256=6DDA02F9B451E0E6AD724B8AB74442811DEB04FF444DF35F731D595E0CAAB4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259163Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.692{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C9EC50660BF17CCE2B1E34C5F84F1C,SHA256=7492F2A384EC8ECEA24B8918335646A71138620288939F6D7E4709876AD782C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259162Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:17.227{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6766-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259206Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259205Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259204Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259203Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259202Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259201Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259200Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259199Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259198Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259197Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259196Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259195Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.848{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259194Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.849{C189DCE5-918D-6149-1E27-00000000FC01}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:21.009{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0266BDD12B9F620A81FD769E06AD2756,SHA256=2441117C6C330FCA10FC00972604CB9D23B5A23434125EA6F3D5B3A19E0A49E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259193Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.567{C189DCE5-918D-6149-1D27-00000000FC01}32042216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259192Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:18.929{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-8367-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259191Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259190Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259189Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259188Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259187Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259186Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259185Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259184Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259183Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259182Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259181Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259180Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.348{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259179Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.349{C189DCE5-918D-6149-1D27-00000000FC01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259178Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:21.098{C189DCE5-918C-6149-1C27-00000000FC01}10283480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:22.009{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A60FBFCBC32BFEEB86B9A95882A8BFA,SHA256=D1732FE7C76FB94EA380270030D4C5AB432618343F87E0FE725EA1F819DF5961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259221Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259220Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259219Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259218Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259217Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259216Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259215Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259214Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259213Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259212Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259211Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259210Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259209Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.520{C189DCE5-918E-6149-1F27-00000000FC01}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259208Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735AEF399FBF26531D5F48EACE74586D,SHA256=902B51FE44449A3BD4C8F83C334E57EFB8A16CDB6624EF6602E20AF0C15940D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259207Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.020{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8899E84B479A9B76FC2C1273FDC3E0,SHA256=2B86111E7FD8C675D643325903B64FA4541FD1DC886C566E466FD4B30D89FB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259225Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.524{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6876A015FA449FA481EAD4B43E383B6,SHA256=FFFA8552F5FEA50254F627FE11BF50774161686BA965A4948716F09CFA2E999F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259224Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259223Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:20.371{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9954-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259222Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.149{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BB43E16FE60399BFE69D400F23C905,SHA256=C6CD5D59346FACE0407E3EBCA38DDF616262D5BBE0A21AF3FB06869AE4A8057E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:23.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947DB9E62DCFCB33CE4A57B51F3E183D,SHA256=0523EB832B2B05C67DB46827CCCF783D0ADDC28BDB7429C68414245AD713C983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259241Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.818{C189DCE5-9190-6149-2027-00000000FC01}10001876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259240Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259239Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259238Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259237Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259236Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259235Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259234Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259233Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259232Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259231Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259230Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259229Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.602{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259228Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.603{C189DCE5-9190-6149-2027-00000000FC01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259227Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:22.131{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11697-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259226Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:24.165{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE074FE49AAA9076C2CA7B4A73B70E10,SHA256=22F3664CC23E7BFF2CFDEDF3C666C44A9B75F599C4541898E5AC9C9E65025AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:24.069{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FBB8AD593DD0028E691A11640DE7BB,SHA256=26EB36600A0D263C8DCB1C6788F8D69D3D54268D7A54616BB81397DCD8C23B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259258Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:23.552{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13236-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259257Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDB0BAC9BF9DCD3003856A3E25E3BA8,SHA256=C9BB75CA8C3E52AEB3C21B2A9D7283DA2E6FBCB5BF5CF0A46C9227A1CB542F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259256Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.540{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7740017435CFD96BAE8E5A4C2B6791E0,SHA256=ACF8E56C6457CE8B0C755805E73E56FCCF38525910EA9355A6E04199FB8FBC5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259255Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.290{C189DCE5-9191-6149-2127-00000000FC01}33043968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:22.358{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59156-false10.0.1.12-8000- 23542300x8000000000000000296189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:25.084{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E8C1A5386493E03CA959C5DB221CC,SHA256=0B5A5DDA81FD9CB7D38EF78EEBE46A952A2F7CF97EC2948032019AFB739BAA8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259254Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259253Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259252Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259251Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259250Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259249Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259248Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259247Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259246Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259245Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259244Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259243Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.102{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259242Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.104{C189DCE5-9191-6149-2127-00000000FC01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:26.100{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BAD5604A37116855643AF586F2BFB7,SHA256=1892EB1D3EB7E08CDF78B93904CF842C23B6CEA35861094604B3BB2ADB40DF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259273Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.930{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D036A2DCD2ECA56E2C2CFCC43D98D4B1,SHA256=68C86033CC71121E793CB0AE0D599AB913B42A1C90CB3EDF61D95A9D20C3D254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259272Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259271Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259270Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259269Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259268Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259267Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259266Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259265Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259264Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259263Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259262Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259261Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.680{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259260Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.681{C189DCE5-9192-6149-2227-00000000FC01}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259259Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.305{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812CA0D1376E0A076511194246542230,SHA256=807E6BCB6527B30B85B579AB74958EA7FAF6B88CDA978ECF43EB8A195DC23125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259275Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:25.040{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14729-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259274Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:27.321{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2DC60C258A2369ADD5C45538EEDDE6,SHA256=9FE8FF4AA70ED71A1AC4D581B6214389176623460A6B04608AE54A8A137CAB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:27.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB1F86075D2CCE1DA2F08C41C17F5FD,SHA256=587030122D72FC5F93DDE2E7BCC136CD8C9DB7BAF8F56B5E81A9B0FC2C306BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259279Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.702{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259278Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:26.497{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16250-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259277Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:28.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69F6A9E55C3C354F1ADCBAC777C0675,SHA256=5A56EDBDED48675D009F09E1A99C8D84702B0D2B5B3FBF0D0AAEFF58A4C82BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:28.616{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DE55538F90FC748C52580CC26BD211FE,SHA256=7B6DB1746276719839940E42C5EC63EE22250D29B88415D8E1B31AE0570F170A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:28.147{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70569973F185F77C5FDCF0DDB75F4E9,SHA256=82C960E4F2F5DF5E59A00699E2838C2A174CA927862A858D4FCCDA7B68B13577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259276Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:28.290{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761D8329F902551E6E4AFAB1D62A772B,SHA256=D517BF9161B5D3A8F69BBAF1F55A12B9876A8899B23EEA43278260A39CDCEAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259281Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.962{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C7FE63DD2A29F33925080A6FC9CBD8,SHA256=45B853E3A086E3104D59A73187D5A55885BDE4977CAB1A0361E66BD6D030117A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259280Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.368{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854ACECE6AEAA404944035218A504879,SHA256=7FDDD39AA5F18FE05A64C646BEA6EC790E92245F3E96CA09739DD56F8F310AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:29.210{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5483165705C4F1CBD349FC8CDA66F6,SHA256=4B065ADE9E8E7C9137F78233E8AC2E1B6063AD9D7865471DDD4DB08BABF038C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259283Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:27.901{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17731-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259282Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:30.415{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B98A55DF413E53ACACFD39E1C4BA898,SHA256=3A90CB076E18A65A3A4ECD220FCA4D341943C9B3BE2F375AA03498399F9DBB7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:27.574{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59157-false10.0.1.12-8000- 23542300x8000000000000000296196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:30.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B89B6DBBA30F321363658AC411A1D26,SHA256=2CD67195659A7747CD8EEF3429F10855123097301BDDF3D7B6981C1BAA699944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259286Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:29.622{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-19404-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259285Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.462{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C981376D877166530BB356192D23D4F,SHA256=5FCC48A2AB57436D2D1074BA116A615F86885A60257CD7C2F68598277C555A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259284Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.446{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1A39690A27988F89F83DD2DE8AE3E2,SHA256=697BF3423115E2357353537A8721135ADD022D053377520936C481FA60981C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:31.225{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C207017BC31C65C7A57003DC02C917E7,SHA256=7013AB13A924BBBCCE0BFB98008C98FB0004CF0DC8ABD3BEDD1E4C99B9B85EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259288Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.946{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A547D2E4A3B0CCFFE0A7CFBB59F803,SHA256=79D9AB3B3BF38989728BE44718EC86348ADC1BF3388F628A51F4BB7AE8E96699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259287Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.477{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782DDEADE151EF29892237FEA59D77A3,SHA256=A6334D2759C3418334A141C54D6932FE48A2A533EE9BA3AC96FE71B4285FBA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:32.256{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5822BABB12AE0841A9F0DEE2AB20F7,SHA256=7412C39D1B37E45356181EF87B205E8200999E0795ED75180812571F94A28F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259289Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:33.508{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5CBFC756D7E52B4BDB7B2369B65BB5,SHA256=4E0C549DDE1140A6B8FF8848673F71FDA33B68AB1843560D8EA98569B632ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.267{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED30D9E15E683CF529C68D4747B26A63,SHA256=ECA544FF806A746832E260FC94DA1A1C8590863CF0BE221458B703E90DD18072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.262{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1369MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259294Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.687{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259293Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:32.496{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-22506-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259292Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:31.046{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20945-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259291Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:34.524{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95B64EB0DDEA862F8F76B1E98DB534C,SHA256=EA69C93BC5DAB30B4B2696A5334E676213D1511C69D776C34D54D7DDC560B4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:34.277{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC3A4D286323933EAE813FEAA41BB72,SHA256=6131021EC323505E582B446B729734FB458B5F522B1CF7B6F0DDE9CBF18780A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:34.276{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1370MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259290Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:34.337{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=354E98F744F182D714A521795B07EB61,SHA256=579E1C4623245C8D67BFA069BEE3FC25C44F5C64233F610F63501E2668329ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259296Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.727{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3623EB8D1A73209B8649ACD69D8333CA,SHA256=28F2D0464671E20BD1B35D1C1461F7654E6B7FD65E6FDB47A69D815AA311D060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259295Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.555{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0606D5CBA909DFD28706EA454B27E6D,SHA256=41C27AB6EB8D68BC3C626115D9725A859A8E1A8B8FD2BEA649C297562AA1B08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:33.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59158-false10.0.1.12-8000- 23542300x8000000000000000296204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:35.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAE87A9ADF0B22A720842F7FCA619ED,SHA256=3EF1F2DCDED8E7BF3766D03D7EBE7441AAA9B5B4C3B7903262B114B7223EB4E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259299Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:33.964{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23958-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259298Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.586{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCDFBDCAAD2296D1CEAED094CC52C84,SHA256=FE538D1AF8B9C145F7AC9F45EC8E474CDB65746E8D391865FFC8A8FE9EDDD466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:36.355{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:36.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EA14E5164D3D8471E4CD36423ED168,SHA256=FA27F83CC51E51EB7271A6CD0B6914E3D258E04B94DF3597D409A71234B2DFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259297Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.258{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259303Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.718{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259302Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:35.279{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25415-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259301Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:37.602{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2E1835685BAEA54120525C76ACBB5E,SHA256=6520F4D432D73C386DE17A3960CD1FAB739FAE83DAD1B607FDB60B5EE835CEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:35.657{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59159-false10.0.1.12-8089- 23542300x8000000000000000296208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:37.339{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A58ECDF3BC5F0014D8EC5234181A07,SHA256=CCCA1D425E3241AB2A4E8865B3AE2840826F5B074B3C4CF99B387AAD83750FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259300Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:37.274{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050960EE6506AC6D1DE7FA64E84C49BA,SHA256=F1A6E8D519652345FA1C079D7485ACBF1FE0F872BD1281B5B506358F307A8389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259307Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.618{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ABDDBA8525AFAB20B7B837A80D6172,SHA256=A519F93A1572D4AE016F38562585F561828495C21BBCC48AB6ECABF07F07A305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259306Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.826{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26979-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259305Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:36.691{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com62147-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296241Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.558{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5E2A54928D4300A43C78E6C0DA621A,SHA256=2A5443B0E7802D9B35ACD0ABCD71BF25AF38CC664741B23ED1148FFF9C7AE581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259304Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.415{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F39D2E424B312464AA4CB9BB9C28DF83,SHA256=4748322AE80DCB9301793C6589767F00E927F10E7766B541541776F02778705F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296240Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296239Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296238Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8792-6149-AA29-00000000FB01}48164044C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296237Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.199{5097E253-8792-6149-AA29-00000000FB01}48164044C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296236Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.183{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.183{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000296234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.167{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.167{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48166104C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48166104C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.152{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0D00-00000000FB01}9044436C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48167040C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.136{5097E253-8792-6149-AA29-00000000FB01}48167040C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259308Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:39.649{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A368FA0F639A827775C032A430456F4,SHA256=6A6C644678176AAE8251A6D846F308CB1E41C6338D65FF12459B7790F41D7AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=34AF723733FD361853C7AD07BA73927A,SHA256=EF3F246B2729D6888CB7AACBE82B25825F1E46654A72D2C4BFDBB9355B5E18E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296248Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296247Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.980{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000296246Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.808{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296245Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.808{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296244Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.792{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000296243Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.792{5097E253-8792-6149-AA29-00000000FB01}48163452C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8030785F8A8)|UNKNOWN(FFFFEA35CD4A5B48)|UNKNOWN(FFFFEA35CD4A5CC7)|UNKNOWN(FFFFEA35CD4A0351)|UNKNOWN(FFFFEA35CD4A1D1A)|UNKNOWN(FFFFEA35CD49FFD6)|UNKNOWN(FFFFF80307577103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296242Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF87A88FA3C4D7FCD6D0104265E80658,SHA256=CEF66D62D703C019796F4DAEBFE340B9E43F9095159592E9FDED9C45A06A41CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:38.532{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59160-false10.0.1.12-8000- 23542300x8000000000000000296272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.824{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CA8F1F903E55F831FB9AFDDE370CDE,SHA256=387E1830D0DBD4424EBD6DFF0A23C756901D1C5AA938941A75621DCCEA7FB249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259312Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.717{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA4C6525442852F4D922D1D966BF7AE,SHA256=A95311D235C2A9623E026062F2DA274872F5435C2349F68BEF28D629A7E09E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259311Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2E09857CB2A7E766E81F45983864D08,SHA256=31C28E41121904EB50DDA60E89B523ADC513437C4D902BA39D22CF65CA6BBA86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259310Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.640{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259309Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.372{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1361MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.089{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000296265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=34AF723733FD361853C7AD07BA73927A,SHA256=EF3F246B2729D6888CB7AACBE82B25825F1E46654A72D2C4BFDBB9355B5E18E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.042{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.027{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-91A0-6149-8D2B-00000000FB01}7336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.011{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:40.011{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:39.996{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-919F-6149-8C2B-00000000FB01}8004C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE3ED702C94FD46AA829F0F1ECB1AF8,SHA256=E9DD2DE62EA10706CC18C2D353DEE2173B4A1E16426E85F6446E185B1D43FF30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.871{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000259315Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.747{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B19AD11001CFC75582627BCE55CCC9,SHA256=61F567C46DE0C766D4D87BE6501E6C8C402D9DC95FCFBCF30CBA412C405B2D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:41.714{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x8000000000000000259314Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:38.841{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28999-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259313Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.374{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1362MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:42.928{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16104EE7CD715FF6C8837C5F566C0B60,SHA256=BACA66F9CCFB21369AA31D8DE352CEF8C77FBB291F3141A549B55D5811966764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259317Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:42.843{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852A9A010088AC015FB60BA7F5757EAA,SHA256=5443F48581373897DADD8B41211D009D2119C5B8CA1A6A8507CDA5B709AF8DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259316Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:42.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72367580E60673A16789D7DA909BC6C2,SHA256=7F6B111386049C82EB00FF3AEF1A58703DA12C7A454BD31B77B9407B29D27F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259320Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CC164B490C000317535D591BDFF3A5,SHA256=64DE1DF6C7F447730D9137AA7208327C02DE9F5373684513AD32490528507E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.711{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000296303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.586{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=61ADFE68D1904E44052D072437634C4A,SHA256=668148DF3DF1EB2D9B6486346D2F77DEA02BCE09A421B4954DFC5C50E31AD733,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=3C331164B14BC1FAE0D9A80BE60EE2AA,SHA256=08510431DB4B60F6ACA094401E110349CF37A62E5D9094092E3401BE3C26EF9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.570{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 354300x8000000000000000259319Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:40.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30524-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259318Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.728{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31428DD503B14A88BB8BF66423FC1281,SHA256=10C22212DC8127F4185B84248091A942075D82FFA67D7A6CB59B8C2C030B1CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259321Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88916973A700212EE29839A468537B61,SHA256=99BFD831243C9FC0FC80F6CD7715FF169F95E11137618EE17CC0AE799CCB8B34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.461{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:44.023{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA75BC689BDD5F6B75310D759495620,SHA256=149A94D5AA469E2AEA2D398F039CB3359215527B1CC338A4159AFF50E9BFED8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259325Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:45.947{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED81D30C8974F5013DFC741C6DB4C71,SHA256=CA96C5ABCCF74BBF7E05A55B3FB4CA1C541236DA1CB837E446B5EF98118F951A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.445{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.367{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BD5A74EA6C941CD76101569B55DC82,SHA256=CF28296A3D6474F095ED071231C7525F3A5ACFF0633554313E404A18E7AAF8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.226{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=9F324BCFF9745B6C4C70E0AEDA8D0222,SHA256=89D3B3D99DC975EC46D3397D4B697B799AD1F2C2B3453F7274018CD76C7AA821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-879A-6149-BD29-00000000FB01}5136ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WPIVN7AS\microsoft.windows[1].xmlMD5=3000BF2DFF6D6F2502D90E202E76099D,SHA256=8B76EE0B927AC1BE2841E68B7A1E3FEAEA1F9F60604F3C09489C2ADA36E24CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:45.195{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 354300x8000000000000000259324Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:43.355{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33639-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259323Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:45.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667832767B6BE7390CDA7CED2F23F44C,SHA256=654B9EADB8BC40CBA1A1C912553C0BCA6EB7F5D14B3B37BD9A814590D030FBAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259322Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:41.851{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32098-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259329Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01B4B77990A895DB9E5E2B83D50CA09,SHA256=B4EBB9E8C9DBE6DCDB20C767AA713E38DE6280397D95DE9C06602F0D5285E6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:46.273{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1000-00000000FB01}96C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:46.226{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880F99A295EB8A3D466617192E5C42F5,SHA256=5E5BEF8C3590704A32534ADBF02FBBA8EEC50DB3FA9312D7DD8DB8A5B077DD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259328Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.857{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35234-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259327Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:44.672{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259326Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.619{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485CFB5FD592E8B41A1A8D742275F2FC,SHA256=BE669B7B139FEA65F92AC06487D758413473C0311D41117DBA814313B69BA1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:43.544{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59161-false10.0.1.12-8000- 23542300x8000000000000000259331Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B1EE4E676EE67547E3FFC524374D,SHA256=88564F5BC914FDE0CB8D3667ACECD6017284E10B3F166D1E6CF273AEA0F16AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.258{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599221FEA6116F48B5CD689D4BD06F02,SHA256=8A0095517590F2686D22B77D5FB7C44A726617AA90A1ECF5C548C041C90EEA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259330Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.978{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D3B0B4B6A9748B0D31A9352E4ABF147,SHA256=679BE6B63945DBDD7D9B7886B20AC6CC00401117C99E23DC2E5F91E7F137122E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845960C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847952C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41847180C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000296368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000296367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:47.133{5097E253-8791-6149-A029-00000000FB01}41845428C:\Windows\System32\RuntimeBroker.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000296376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:48.273{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808F58A883A6FAB39719F46367A31D03,SHA256=A2044F24348A580D94BB9621F617164B537AB78BA1CA857FA74B40F318E6F2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259332Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:46.170{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36712-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.289{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191BF3344C6818C5F65AC92719757DBE,SHA256=F15943997DBEBC50DDB77D28E7B663B0BE26F5978050405CA18321121A3C60B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259334Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24AAEC01776A58B0B54C00D70CD3FF84,SHA256=CD2AFCE60DF989F7A6B020B8D59123FCE06CE20545A580796D3E7028DBA8960B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259333Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.009{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8A72A3F2DE39D1D8929F72C418C742,SHA256=4B61B2D1F503848923C6DC0A02FB30C8455FEC5334FF07A546DBD0C8BB77C756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165416C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165416C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165440C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165440C:\Windows\Explorer.EXE{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48166808C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.039{5097E253-8792-6149-AA29-00000000FB01}48165884C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.023{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:50.430{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193938961D7C1432FB8F9E53DABD52DF,SHA256=7E2737C3E892EC517D9192A41A899281A8790154866060D5FBA8683A7AE14A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259338Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.775{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC5BC7B4E73615A8FD1EA77344EE348,SHA256=51F314F874601196486F442E15ECE6018E27CA31DA41ED4D7966D83745A1C164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259337Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.577{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38146-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259336Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:47.470{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu62447-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259335Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6E8C8B448B06DE0039200B619E2605,SHA256=332A12C212F9A191017FB66C6F350DCA82D890D23E99B1275D7930CD49031351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.539{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-483D-6148-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:51.445{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E52BF297E720DB155D1DB0FAEB3DB8,SHA256=8B11DDDFB0D362D0F9AF4F73773C93F8E1CF17C1C9E9FD8AC424CFD0AC0B30A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259340Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:48.951{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39551-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259339Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:51.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0DF37462E39D57F5F5BAF291123103,SHA256=B93BAF9D4DA6A96CA67F2F951D7B72F76E68349876FD1BB76E471D0300CEDE36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.726{5097E253-91AC-6149-8E2B-00000000FB01}60044508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.570{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.571{5097E253-91AC-6149-8E2B-00000000FB01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:52.461{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C687638D715DAE2C254E71165857A,SHA256=70EA5F51006552385B5D1E2A6E805A87868E2BFCE89DCED50D963E73771DD58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259343Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.556{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0526CF55FEF09B9903BA028046A2B2,SHA256=F0F6856BD06DCBAC23D3CB30906E472CF8F54C4075421E08C4DE92CC82F4C9E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259342Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:49.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259341Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0406BED4AC2CB86B225548AF537F75E,SHA256=B81F0F85A73CDC0E1F824060E0457FFFE3C6A8EE450DA867CF67C646350243D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:49.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59162-false10.0.1.12-8000- 10341000x8000000000000000296429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.914{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.915{5097E253-91AD-6149-902B-00000000FB01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.476{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8357FC71D22A44917CB6F52E90DBDD6,SHA256=F7543276ECEAF8411A68D017A6536D9A6EFCEA7563A7721C24B315654A2B76D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259344Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:53.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAC30581122D6D19B97E4B515CE61E7,SHA256=9E58148D9801BB2C9D83A7BA01E77A9EADAD200A4789687E5A3C79BBEB542A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483C-6148-0C00-00000000FB01}8483388C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.242{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:53.243{5097E253-91AD-6149-8F2B-00000000FB01}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.726{5097E253-91AE-6149-912B-00000000FB01}67966816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.586{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.587{5097E253-91AE-6149-912B-00000000FB01}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA53B6EBF175DA5E7D830A29105ACA4,SHA256=5BFDDA2F4557565D951F8CA44AC6BA3C60C47AB1E990203110DE517F21B0907F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.508{5097E253-8792-6149-A129-00000000FB01}43166336C:\Windows\system32\sihost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259348Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:52.171{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42812-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259347Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:50.724{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259346Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:54.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC70A9255D0DA1776553A3412B38279A,SHA256=6376FEE1C5BE3EBEC567F961509D47FF1C04D93124CC008D949B787DBB3069A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259345Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:54.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ADB84F1B02867FEFB74902C866CCEB,SHA256=94BD5E7D9C5213A007D0E62B1AAC8274628D684DC5270F85152C6A634426B053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.336{5097E253-483C-6148-0C00-00000000FB01}8483236C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:54.055{5097E253-91AD-6149-902B-00000000FB01}57245860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.822{5097E253-91AF-6149-932B-00000000FB01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.820{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A168FBA88D3622D433C9F1A9E395AC,SHA256=A1BAEEFBB5A8BD7E3A759B6E0E82EAF0C84C3DA935E6F30F0CF0BD88ACA94881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259350Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.478{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C24E47018BD18B45B211B4CA11A5D0F,SHA256=59EABE88296DE28530FB4A92FD3039DDF004B8B96C466CF788918E66270516A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259349Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.087{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6F1C7E174B1257374CD2CCC362E9D5,SHA256=2751C1A8D2799ECCD08868CC85F7829C347F2C84EB6845025E60EF6763182A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.398{5097E253-91AF-6149-922B-00000000FB01}68804800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.258{5097E253-91AF-6149-922B-00000000FB01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:56.961{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E196F2FE25E66BB88FDD403583365D,SHA256=38DF3002EBFC967680DD2AAC99EE2191F892D892236DB3FFE327406F442F90D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259353Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.947{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10E2D03F9CB26F2455F54BCA79DC5980,SHA256=0AEB790C0CF4C5D59D57C3F09994DF7535835F4489528A4EE9E183A09DB873CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259352Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:53.705{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44256-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259351Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9135E5124CD388A1793E9119D05E256,SHA256=D240DDD281042C3A0D1B80D7C16E5505A29CB9D656A0B87C7D479945D56F5E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:57.976{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB971BBD29EED61D52FCDCF954CF73B,SHA256=47EFA0461FFA8A4C1805ED184A25BAEC43167336A401FB0233E5A984EBE60C7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259358Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259357Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259356Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.337{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A3F-6148-1500-00000000FC01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259355Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466784751D5FB28E79436DA31313E06A,SHA256=17F84BE250AD7AF208013A1CE887838798EAF4A1714D038027D4DF47BCA5C672,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259354Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.047{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45810-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:58.992{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0AD989F237E14C17A660031CB02DC3,SHA256=6DF57BD8232C13958A7F85C2F70BAABDBD9858D31FB9E37585B30CB5EB711958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259361Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:58.384{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984BDC24E721D88CBC21996405405890,SHA256=A2187F2E09521A5FBF33CAA44DABB2C83863BEA5FAD8E7BD1DA5DE97B7FFD26D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259360Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:55.703{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259359Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:58.134{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC4E3F129A20D0AC893CD81C6CA5198,SHA256=D8DFB97F8AE13B66F58CA30074146C252611EDEB2C53DDAB93B63A5CF989B603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.825{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59164-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.825{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59164-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:02:55.544{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59163-false10.0.1.12-8000- 23542300x8000000000000000259364Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.431{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BF285B83EF2CD0D62F1C1CC3475B1B,SHA256=B90C652FFC58661B9F33001D7E97DD51EB5FFC14049FBEE7C7107D579AAE9873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259363Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:56.551{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47267-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259362Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.134{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C336B2E44B59399A341DABB896233CD,SHA256=ED740AC10F08379C696FD338A9836533677AB06C46BDA63ECCDFBDCB0F751527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.023{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.024{5097E253-91B4-6149-942B-00000000FB01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:00.008{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F31BD840DEE5BDE6FE205D24B6AE72F,SHA256=BC7189AD20A3A6E5283385154DA0AB05EBAB6885321F39E3C6032DB80552940E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259367Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.933{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48875-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259366Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:57.711{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com61127-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259365Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:00.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A97DFF78BB0547EC1D0E302D44FDD9,SHA256=D3F872BCDA689429964E2F56550133DFADFD14D0EA3A1C424BF4A2BC830C4C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259370Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:02:59.333{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-50245-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259369Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.165{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A0A85A6F198CDF7ECEE65EFF674AA9,SHA256=F9126A40A43E8B448FAFBDDF7DDA1ED162B08EA5661551E15D840E088B13A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:01.055{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F160750581283EA815F9FA5AE4435,SHA256=16939E681BE8EB50D477B1D60119801E44B9DB16928063BB346EC0C0DBC1ECDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259368Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.150{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADF7F93361C94154E613D38C55FE838,SHA256=02E82A230F4549F0A9204C6BE8B73180A0790DC625A6731E9D397B1E0C4B4899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:02.086{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1961E5BB8B4A4FA64F085F0B2D5FA1FC,SHA256=ABAACED91D9DB554D8D2B969C9FF3F36C78434F8BB4CC6D89FB413BD214DADF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259372Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.603{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68C11EC4FD7165237F38D6C194DB814,SHA256=08438B4A22A6D5B343F0A555289AB7974884271C67E57D13671E7FBE371E88DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259371Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5393647BF4B8D8C8DD6193FAA9EF766A,SHA256=F2F4B46D416F164B82774323BE97B5F99797C826FBEEB176C443172BA3396F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:03.115{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E024C08D20191291F8FB2FFE076424E1,SHA256=0EAF099C3480CD5CF2D5FE3C9528A20091096E304F84D4063433A3A7DA34E7D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259375Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:00.766{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51662-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259374Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:03.194{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF5D1160E6DD9DFADD8EFDB5FA4A12,SHA256=CE129C46B4D14F69E96A416A5C9ECCF86E72360319598B71BA78C2A5CA6F734C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259373Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:03.194{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B4A2D35660E8AE3916862481A677E23,SHA256=FF80B4091AC9906D116B87D459A2ADE91B75FDBAB0C0151607BF55EA95D02F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259379Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.445{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94AE18578A3A69AD5D51ACCD4DDC0203,SHA256=C9E3E6A5071514B8C43C87908B234833EE0CD795A987275ADD46BBF1A3AE0BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259378Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:02.219{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53247-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259377Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:01.657{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259376Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.210{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B86BC4CD6701F3642D26F84D15AEAB,SHA256=87874A69711DF3B75CA1B53B71EF5F1466AA6B0D20A024B90560560B9E780FC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:01.481{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59165-false10.0.1.12-8000- 23542300x8000000000000000296486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:04.130{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3E4A794B85E671FAC161D0868F2F34,SHA256=823BFBBD26A896B4AB71C9534EF9345DD6942918AFA1DF939B0BB42473FA084B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259381Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.897{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04595325628208C36702C8969C9555AA,SHA256=32A9A5E4395312532751DD6BB62E9974AD187FED38E76B905F60A6EBBE62B259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259380Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.225{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919AA8C18DDC63DFA6206176C125540C,SHA256=8D3BB7F98DAC529335871F9456D6E69AB38BD5D3A704D9CA5A29226637FF08B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:05.146{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5400C68039DD8DA3085E3D4070843643,SHA256=6ED9717D9E93DE9C6F1F96C40CA7DD85C6C3988572F3CDA759FFD29A3BEF908C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259382Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:06.241{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB291B5232B89FAF578BAB389289F0F7,SHA256=991E391FA0B1ED37EE841DC26809D585F42BBFAF77F0A0E0736092B2130D53AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:06.146{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A64DEECEDEDD4EF13C6B0D5F30E830A,SHA256=68D2A5157543C376D753576B373220EF730F04C100B744ADA9070B399F1BBDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:07.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BC71D13D3056E502347ECA55CECF0C,SHA256=59BA1C07E3B2E709FBECF77A4D06B8173ABC514C7CA73933B623A6D46E486222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259386Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924571F9B425585DC8EB95B5EFCBF865,SHA256=50202A0AA23D98C09B0AA4D898BD95300204F8B35C48B36F37A64A2473863614,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259385Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:05.518{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56720-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259384Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:04.112{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-55109-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259383Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71944B3F7584167C8A475DEB70E38785,SHA256=941A3B87664D5AC8CF4AE02F85E8D1EC4EC6707CDADFED417FEB6EF932875B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:08.162{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917CC80E1C23A9D7C69D918D8315051B,SHA256=5C49129C53ECD27B26C5F64CE6151E35BF6ABAEC59658D04B2C6287CB90ADB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259387Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:08.257{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6048DE71E64B71DAA0690B3D509ED,SHA256=23EDF99124A53071DD5E3DE458FDD2460115E702F0AE213181BA9DA04BEE0910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259390Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.280{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-58444-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259389Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:09.272{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398482CEE0860928CA2253D97B2CCF96,SHA256=ADAD637CB2A50EE0600BB3117DB57CB231D582C66C30A3EB5C8A32CD2668C25D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:07.479{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59166-false10.0.1.12-8000- 23542300x8000000000000000296492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:09.193{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0260E3149CF0DB8F12893B01EE68D787,SHA256=92E56EC800447BE3C3B04B02FA11EB91CE79B6C527264BB7751C087F384F2ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259388Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:09.100{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540F25C81DBEF14DF4315F524DAF2418,SHA256=2F00A0CB2872CFB6B3C23A2D664DEEA2F0C21B1ED087F28E15DF89FEA91994AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:10.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E39F07D2EC99C25D20F702BBFD2C3B,SHA256=FD9B11919F116CADFC38607308D213B60F5EE44B539057953033AB4B1FD2A8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259392Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:07.607{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259391Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:10.272{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078FA7662771086459D63628A703B7A2,SHA256=0D32A840675C40D7FE26A7FF8F20F5C51153F95CB6943F87F14D0375B580FFAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259395Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:08.754{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1086-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259394Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FD389673174CCB0E90FB0C8944E744,SHA256=06B66A1FDC1C585726E9641E3146F60A51EB140C963721F18DB326821C6BBDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259393Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.288{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F06E8DD3E080F5E3BBA8532AE4C58A5,SHA256=16067B59B2117ED31B26C7344C22430396BFF0D84770A65D8EA660FB7F5DD033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:11.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9DEB8A15EBC00D34049DBE2991894A,SHA256=15EEA8F1565547759FBDAC6C9F9C157FA148AD5E712AC8B2585D1453BBD2CCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:12.224{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9807887FF2AD6231853711AE2452CD,SHA256=8175D5F5AC10D54B36D87513BECF3F78E4B7B8FF0491DA74ED41A86F3167FDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259398Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.757{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDEC3D7C5E6E512B3040BCAEA1423C1A,SHA256=A086BBE9F982C2DD42A3119FE18A79242FCC9E78BFF89AA0DE2E44862D2AD051,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259397Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:11.014{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3336-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259396Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.303{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95914A3BBE2781AAD862DC53615BE56B,SHA256=3D820D9AEF9ACD0FB249EEE6E51BEF455B96A1737A633B449B8B39B18B9FD2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:13.240{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E8EFB070CD6D1A9FC1E3BF9338D9B6,SHA256=35E8E1B34E9CCADD8848E7281C0EF8B13E1AB9297CCE90127206CACD751D6DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259399Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:13.303{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8833DF43600F62ABAC4DBB013129361,SHA256=437B82CD720B777FCA4076064AE1198ABA20FF2F7A8C4CBE9B465620619EDB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259401Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.413{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3DC33014DC96630F856DF6D06186816,SHA256=6D3B37B0925DE511599537A7E75106F5780481B657DDD6741BA115E7A66CEBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259400Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.319{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD97EEE1F10C7B1F273F5F4E07BBB18F,SHA256=39EC32C466921C6E57B3688C464E718383196860FAA2864FE1A141980BFDFD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:14.271{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AA82E6E2D8B28D7CBCC1460B08C495,SHA256=C23C2A4A66884DCA0F596148E867F2FD8DDFD816959A769A7EA1FA34ABB9D4A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:13.416{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59167-false10.0.1.12-8000- 23542300x8000000000000000296499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:15.287{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECD60836A28994B38083A4EBC6AC55B,SHA256=5C6DA1759AAB52F27032F85FD91D1C3A7B27554FAB327E524B6B130F9040BCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259406Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.944{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15E50D785FC0B21C30C4D659F002EC4,SHA256=B31296B3F60266880977646224C235955D812199077E2D11A99838512441C495,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259405Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:14.033{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6357-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259404Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:13.639{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259403Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:12.403{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4829-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259402Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.335{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7493E35B14151479AEA46471F210C3F5,SHA256=217ABD13C0F2A211EA4B141E4151D0CEC267E22A65E91A01CCD60A803064CE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:16.333{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9589F91B7B7E34C05EEB9635274F5CE3,SHA256=0645DAA1AEBD2E8E77386B1F98709EE784EAA5D34660F1FB0930ABAA481FB956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259407Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:16.350{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FF028C59C3424DC1EFA377DFD05D41,SHA256=6E011EE9A117AE85D27575A368C8DBD64EE613CC1E96ABE092DD0B3F1E65C070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259409Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F092127E20DAC3A4AC10E814FC3F4586,SHA256=0FD91C3D39FC1FE5269343CF07FEE3B79F73E46FCD9CF928E2FBBC1A15F9F3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259408Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63986B43641964296F313F403DAA6130,SHA256=A3EFBC12EA502BBB8C35E0833CD8186B5783974CA9852BDE4AF6C46AD7E76706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:17.349{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BFC5899F16AE5D4B5124D427240D6E,SHA256=C3E8A3FB75C3BB5C0DBE0EBE24B6A91478F449A00518C30AA12B0AC99CA0D860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259412Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:17.200{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9670-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259411Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:15.634{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7998-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259410Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.366{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5615703527A52781A789F58D39EF3A,SHA256=161A6AA647FB703485956905DD1972060B0F54E38EE5402C1A481DF7C53E367C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:18.365{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9729B422B677B0C68ABFB68BB72BAE88,SHA256=55828D5FCDA755A15E046FB84F647BE5FB72AA5890AB4CF3C6888166D7FC80A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259414Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.382{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568995F32D2B0E990EB01CDBB8371C02,SHA256=B4132D0B8BA01065065AF79E0917D48A56C675D09F8C1B62C665CB572C567325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:19.380{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983554610CDF4750C18FDE2761911368,SHA256=A873842775122E2FF7E75F338E4DAC3D7BA2CE29F29BCBB271CD8563C0147E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259413Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.006{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=238EAF939AE0F047C36A6E4F65A5900A,SHA256=24D16265C930789201A732C5806ABEAB1495BDFD0FF795D1E665F7F264598E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259429Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259428Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259427Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259426Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259425Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259424Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259423Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259422Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259421Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259420Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259419Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259418Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.850{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259417Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.851{C189DCE5-91C8-6149-2327-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259416Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.506{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8049388A265ECE98164776CAAE9F9BCD,SHA256=EA9308FCC567D03660CEEE3BC27D8C47573AC2A0396DAC43ACEA027768E53234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259415Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.397{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39EF8A670189D68113EB163011C8A2,SHA256=17428E624C55F871CDA66A050B8B55C0CAD74133028879F38D748687CF536A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:20.412{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A376A5AA0F8F355F4D94FA4914F404,SHA256=5BB652E1909CF8A5DB02DAB6FFA20DAC22E5E99A5D2E51BF2B5909EAB6941A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259461Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259460Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259459Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259458Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259457Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259456Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259455Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259454Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259453Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259452Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259451Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259450Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259449Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.867{C189DCE5-91C9-6149-2527-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259448Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.866{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ECF14674BF2C6C9CAED7BC82760A881,SHA256=6FC419F1098BD354F8BA1049D87EF48BDBE7CECB1437EDC2B8E1B238D73F4DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259447Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:19.654{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259446Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.725{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6493C69A781F1F461D9DBDECD56B5BF5,SHA256=026EF24A463EB453EED08A5B16D76922EA01D33F8B13722376DCAAFB4746E4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:21.427{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05526EFA34949A8A19CBE892585B6D62,SHA256=5F02B98403B9877271EDD35F434BF4700774535EC268AB6224EDCCC0B53234E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259445Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259444Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259443Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259442Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259441Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259440Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259439Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259438Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259437Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259436Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259435Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259434Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.366{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259433Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.367{C189DCE5-91C9-6149-2427-00000000FC01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259432Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.131{C189DCE5-91C8-6149-2327-00000000FC01}6563932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259431Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.791{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-11339-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259430Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:18.740{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com60649-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:18.526{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59168-false10.0.1.12-8000- 354300x8000000000000000259476Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:20.323{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12887-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:22.443{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB762F13B1E4F05D5A86AC4678DD1CFB,SHA256=417786A7DF2403E56721E2B23C82588E2948B7785A9A46199B107109AD5AC5E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259475Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.631{C189DCE5-91CA-6149-2627-00000000FC01}36321044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259474Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259473Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259472Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259471Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259470Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259469Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259468Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259467Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259466Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259465Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259464Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259463Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.366{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259462Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:22.367{C189DCE5-91CA-6149-2627-00000000FC01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259481Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.748{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-14435-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259480Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:21.718{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse138.199.18.88unn-138-199-18-88.datapacket.com16584-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259479Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.823{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AB5439C7ED677938F18CDA96379962,SHA256=5D958B5E26E19455466ED8E4A8E2BFD633D64B215D84ED6EBD26DBDEE04596F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:23.447{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5F9260B5649A74C6829D8900F319C1,SHA256=1C97AAD4CFF39271563D88334F85DD217D2B98C8161094B67C339C97197FFF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259478Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.073{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D21753722ACADCEC17C5AFDE21067043,SHA256=FB86D63325E0E1DD3723C3717B69C29FADED3C92092E2C1AA4689397A9A15D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259477Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.073{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5340D0F9F2B0A67BD269D484D27B546,SHA256=E616055C48D2DE1756F7A5A7001F3000667B27658AE5347D0D979471CB00A262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259497Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B4F0E05CEC401990474EC61D05652F9,SHA256=80EA72145C89E01DB2BEA9B7D49AD6A4998F17F22BC8CCD49562AE7094AA6E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259496Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.870{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5AD395A7C9390B32DF232D6925FDC8,SHA256=2DB626E6AB311985FDBA6CFEABBB91876EB8B9925B97F7A6C9AE3C38E7472717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259495Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.870{C189DCE5-91CC-6149-2727-00000000FC01}25201396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:24.478{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA94A47D558B24B7A0A1214AE256EBA6,SHA256=470D032482173907968BCD8CBF99D7356E458662B5E21389FFA1B40FA23C5EFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259494Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259493Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259492Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259491Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259490Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259489Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259488Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259487Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259486Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259485Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259484Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259483Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.604{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259482Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.605{C189DCE5-91CC-6149-2727-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259513Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:23.178{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15897-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259512Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.885{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E41CCBAA9B6E802329811376BB1A69,SHA256=17CA566F425CBAFC66325598F6C814D67ADE139C89835238DD3FD5B1472B835D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:25.494{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882FFEF77888A9CDB7907EE4597F654,SHA256=EF295CE38916488D9272A490E76EC13874863D650D27D065B7E36813B6A490B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259511Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.386{C189DCE5-91CD-6149-2827-00000000FC01}23684012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259510Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259509Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259508Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259507Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259506Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259505Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259504Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259503Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259502Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259501Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259500Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259499Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.104{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259498Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.105{C189DCE5-91CD-6149-2827-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259528Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD41CD5B6DCB3E1B3F392E16372FB3C5,SHA256=89D57E2E8E3B50F90204DCAF446EF340D8AC383F677FD29BBBC8787084AC496F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:26.541{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD038610BAA9E241FB7FE8D2486652B9,SHA256=C9B64F716F385042CE455F2DFBEDA26C8F3315484FAAC5E233809EC96107C08C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259527Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259526Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259525Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259524Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259523Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259522Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259521Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259520Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259519Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259518Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259517Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4A3E-6148-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259516Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.588{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259515Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.589{C189DCE5-91CE-6149-2927-00000000FC01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259514Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.338{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=866771767CB77EC67FA5085EC3786BB9,SHA256=8C49D819E351EB9AF2750BCC7B6C61021A50585C33F9AFAFC6786C847DE3A34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259531Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.932{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A2FA68F572FEA10F58E0CA2651BA2F,SHA256=3D48EF463EC199FC654A16D35FC29973A88FA0B4EBE29FD02C32858F3772351E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:27.572{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F64B008586668643C45EB3EADBB2D4F,SHA256=CBE34DF28C8A0A84E8EA91B1A8C59E4B18102DCA75CD3C712D4BAEF4DBAF6D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259530Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.604{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC025DA2F691DD1F004F511DCD60690,SHA256=4CABB4ACEC01C3D66249333FDB9596882A304A145611E193E0A95E75B4E226A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259529Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:24.526{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-17260-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:24.436{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59169-false10.0.1.12-8000- 23542300x8000000000000000259534Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:28.948{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A857A2DD7F3F751CA639A3C3A418493,SHA256=E93CBADFE15E2192DE3D6F7BA45EFD01F29B77B291D158074A7C21B85D4668F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.619{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BF201CC3B69E9F3DDCEFE16BEEA63830,SHA256=D440C19DF952BCFE805AE6B32080AB66D69E5B45637BDE6B79029B6DC6879CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.588{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30D9579BC4550BEC405CB9BD0BA326,SHA256=630A0452832F4D9484B4F64BDBDBBCFD2F642CD2938E41AA439E8C51E96DC37D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259533Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:26.132{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18795-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259532Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:25.595{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259536Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB0FA8B36B6680D476FD494AF7CAF51,SHA256=2A9548E7113DE4F8603B3D775725D181EB70E7E296B59E50DA9AE2AA8594F3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:29.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61E58E4B3CF21D8866597EC2F9F8C3E,SHA256=E1C2A49F56BC365D239EE1B0595242FAE27C384EF63F6B08211C2AA23769FC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259535Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8412E98AA75F897E3F119A6365A00053,SHA256=F4274DF5936CC395728F1985923ACA8858F8596C69D906CE991F2D4EB1ADE489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:30.603{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7789C1514A23F9F53A3765119C200E,SHA256=19AFFDCC6AE5CB7058E8541C283A6172D1C504770E1D47790EB49A1BE7B2F19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259540Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:30.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A77B85DE390663CBA27E0E94BA8C1D6,SHA256=ED7EB04005A629ADBB7194E02514113ECE5DC55200720FE7EA3155F6E66C12DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259539Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:29.167{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21890-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259538Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.763{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-65473-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259537Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:27.649{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20375-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:31.619{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E476BE98A8FA7CB48BD5343CCE261FC,SHA256=9DFAAF7F04429CBA95BD5F8EA3D15C50C0BD2CABCB4D0A23A79DF836E26B699D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259541Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:31.026{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0975D5F2CDBAD2CEFCA63F0139C05DB8,SHA256=6FD7E485E9BEDDBA369964E43AC45DF887306C71F7E27D09A8CB9680386C6603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:28.429{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse202.139.199.35-49884-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000296529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.619{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA9924A4476859FC88B61FCE93C85C,SHA256=080A8091BF3E43FD2D2D61C5EA4B33CE4C549D40B59934045AFF3E99CE730865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259543Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.541{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB9366CA2C417543607CB577AD4FD48D,SHA256=D04DF55E721F6B7EFD61FD555203C8738D78AC554F5EDE867DDBB48F4FCFCF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259542Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.026{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5D8D1DB27981200113B0F4BD9EF874,SHA256=106968E2D8E7A3B21CDE18892B7EAB0C00D122E35DECFBF892551512CD73F2F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:29.561{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59170-false10.0.1.12-8000- 10341000x8000000000000000296527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.166{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:33.634{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F19A6CB25141CF8EFA10DA40AC4A363,SHA256=5BE9909FBB07F16B8A04E430DE701BE68F08C57FEA392055478E2C89F8808036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259545Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.979{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BCD72F7EF5C076FC82283CB83AC21B,SHA256=C3069394756D7349E06E9D1D39BD1201E9303460EF9B8FFEEF0B02914E896B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259544Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.041{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1BF4577299D3687D6ABA789FB5BCDD,SHA256=347330AC30D82ED530CC33D8D835230108BE998BE9DD23F520440B4099F8F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.794{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1370MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.636{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEFB1C7AC82E00A061846835B858CA2,SHA256=37C60CC0BAB203A1247E9F6C7A61FE0DBBC1BF9CA467E69EA05B6DEC010F6CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259549Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:32.105{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25095-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259548Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:31.595{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259547Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:30.548{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23435-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259546Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:34.042{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257AF242AC3EBE1FD031071BE7766874,SHA256=6422934E1BE314E76581F5A4E54265DA75810BE413D1FEF70CE498F93D866247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.807{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1371MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.650{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74CEDA006E99285E2B5813285A1EE77,SHA256=DDCC87877994F810BC5EA3389238948F79F3C6417A99D8FFA257BB1A796AB28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259551Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.526{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31322D240281288E4CF383098C847B6E,SHA256=8DECE6449B75FE16C54B2AF1EE37AD906FF5D9E2BAA952DEB4E9DC20E04771E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259550Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4B8B0818EA5DF6E7166BE030C68CA,SHA256=28A442EF9AC2F0617644028A7F6DC46220BBD0C2473EDDE697EE8CF8FBFD49F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.509{5097E253-483D-6148-1600-00000000FB01}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=03784A6CF877374FA3D661A47245A345,SHA256=17B494DBCEDB199B37106D8E2C7D3D205AF0EFEAF209D3E97D8A3CB900E87B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.494{5097E253-483B-6148-0B00-00000000FB01}6327440C:\Windows\system32\lsass.exe{5097E253-4839-6148-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000296541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.652{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F65E05AF5560B7A3A0D876B6605BA4,SHA256=5407DA0E6A1C18B3C4DCD3C166DC44B9A5E483363305DCA3EC4486EB5DC76C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259554Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:33.545{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-26528-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259553Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.276{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259552Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.119{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B44DAD6B912B0A5F11C35638F5604FE,SHA256=C870FC61DA311763E34C3A158A20EF025F139F9E5D6ECA46404AB3A77B425BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F3B317B34548C3E8911673B4A4648C,SHA256=7EEA009B46830CD490E25C0BD1CAC1C418818B3C0F9BC6EBF61F68158C7A147A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.495{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0662A0719AA488E27B112B770A191CEC,SHA256=144FDE3343A45151486D80C7B951FF1C59F4B2859F8AC3CE4E90490DB47E1B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:36.386{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:32.725{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-49990-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000296552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:37.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03212A958023CADB448D6BC7B8E0C58,SHA256=1E9E83A181D14F44FCA87F36D2DA3AB88ACC373201E034F1D19DA69C6525BBD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259557Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.162{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28191-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259556Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.151{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490D56B861F235F3E89DA04877B485C8,SHA256=18423352FE5C261F171BA7473CB400BC5FBCAF92D8C91560FB47EC939A874B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.818{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59175-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000296550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.818{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59175-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local445microsoft-ds 354300x8000000000000000296549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.815{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59174-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000296548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.815{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59174-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local49666- 354300x8000000000000000296547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.814{5097E253-483C-6148-0D00-00000000FB01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59173-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000296546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.814{5097E253-483D-6148-1400-00000000FB01}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59173-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local135epmap 354300x8000000000000000296545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.711{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-966.attackrange.local59172-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000296544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.711{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59172-false10.0.1.14win-dc-966.attackrange.local389ldap 354300x8000000000000000296543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.704{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59171-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 354300x8000000000000000296542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:34.704{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local59171-truefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local389ldap 23542300x8000000000000000259555Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1293A752E0868230A56B8065E86C062D,SHA256=435A8BEE28B8FAA5F5084CBFD7EB5450E3BF9393D6A4F965ACCF42A2F75F95E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:38.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41207EAFC8EEC9382F3DA19807D1444,SHA256=86BFCC0F7903B2C540CE6BC0B923F344F085C0B6DB5F838B57FE09A9AC76934C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259560Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.791{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2CC778B2E1331C8E4CE03AA357686C,SHA256=9DA98618149AB4C0E50D2A3CDF560A80A19772FFB655AA6BEE8469DCED0A4589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259559Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:35.736{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000259558Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958E40375BA3E930DB6B2C2C0D0F6155,SHA256=7C859D3A0E0F79F3CCD6EB0218BF309EEDA12A9A5CAA95E0E673A3FC18BF5541,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.688{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59177-false10.0.1.12-8089- 354300x8000000000000000296553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:35.497{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59176-false10.0.1.12-8000- 23542300x8000000000000000296556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:39.699{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DDF9006D68A36BDFA6DDACCB643C2F,SHA256=EA02A4B2E147EE7787B49B50ABFDB06C46FF8E70459796CADAFF1FA1E44F13FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259562Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:36.684{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29773-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259561Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.244{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0131D85D441FBDE5961ACCE44DE58942,SHA256=E2F5611FAAEF0265E1232777C483E44570A6A40C9D4042F890925F586D2B9520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:40.730{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CF16BC154B3B0FF2AA49E8C77BCE6F,SHA256=80077787F0EDB44459052117355AA0C91CB639AD2F05D8BB853FC7E1A8CBD1A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259566Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:38.360{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-31460-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259565Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:37.627{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259564Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:40.260{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C305AFCAF595BB6A27F034149C4E1ED,SHA256=A3C02CA3C40DC27F431403CCA163042F88DC6C2DDF88642EA7B923DB891277C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259563Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:40.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF74B20F98545FCA9526665458C3E6F5,SHA256=522207DB0DA604C5BF6B3140F01C7B89BF03F800E7C01519D20D853F32A5512A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:41.730{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DA3C441B023CCF1E7D2D23B7780103,SHA256=AC53EDE2AEF938950543940BD23BEA55758F6D43716A5CF6F45656947102EBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259569Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.904{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1362MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259568Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.683{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62570B3E095343E4D878AB022CC9E301,SHA256=07E7523B22AE050338339FAE12C4AB5A3B5984B0C57637B5DCC1FEBB3EFCD055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259567Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.338{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DA37CF0E75180F0A362B97EFBC9F0A,SHA256=F4A09D4445E2090B5978914EE0008BE0BC051D0558EFCB9AFF304A0D95795C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:42.745{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974F833A8B5B1962A37B53215FC9E687,SHA256=2C641C9DA9CB4B5272F68A10684881F28D1EAA1CF78EC2FC654F53D9C62281BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259573Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:42.911{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1363MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259572Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.976{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com60133-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259571Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:39.835{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32901-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259570Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:42.347{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71E892F67B458A05DA0B5A8F592848A,SHA256=7359F50D357D1455DA98D74CA2F3B21F0F7F753E3D8E6845D133422A6303CAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:43.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0753E379CC4E789CEE25C84C990FD37,SHA256=E3787A48BA2F24333B58CC529549925C3465F23A1339E7EB31B4BB48044064CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259575Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.502{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C44B60DC37BBB5BE148D6B10A16E9C0,SHA256=C2F7167BCD46A37FA3302FB45BB470B169578E535428BFC811CC6AA15E169C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259574Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49F9E28E33B809DBFD13C8D8E620033,SHA256=5279CF08D5282D9C622E20A73152F354C04948A50CCDD73AB35F18AA18005852,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:41.406{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59178-false10.0.1.12-8000- 23542300x8000000000000000296562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:44.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA8F383B4692DCD32A069673BF408DB,SHA256=C5FD31627C3C484F72B60696672E5FADDB1F75397F42A623FFEBEC80C64DB045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259578Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.970{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FB55DBDFB176F75455C2C1BAAA3D86,SHA256=34875346A267853D35C74377743DBA6302228922E5FB19F794081DA28FDB8E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259577Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:41.304{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-34442-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259576Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.408{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E54C7CA30B8A2D3B96120B88DC6996D,SHA256=350484D7DC234F2626BB41734E8059F40F8B32757EF3B78A2BC92B20FD82D3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:45.780{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E96F611E7E35E158CA940B047B683F,SHA256=5C437C6AC2DACD8B3C81CBB47B0C6B94D17AB0736126628A459CA302E0C0E912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259581Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.618{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259580Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:43.054{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36342-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259579Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:45.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C6BB9BBE8D8791039B56601C93DF87,SHA256=B2D07A22E3B0070785FBF780D20F8218F313418A88F5202062644CDD1A8B11DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:46.796{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12405C41CD16E79883208940F6DF99D,SHA256=BA6082751D12E06606876A806914549299E567E5E17449FC9D6FB44E44447009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259583Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:46.486{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436FD126F464182E8D834856D43CE1D2,SHA256=E68BE77874B96CFA21D3550B0B0554AC0DF5F8D559A3AAE14DF600074058B4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259582Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:46.423{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120C43DDD64811638191EB515ACB6CA3,SHA256=897CB9EBA287BC3D9F42E27A39316F020D758ACAEA70B7CD58F3768F9A2C5687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:47.827{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EE27E3B30895FB6A15E4B1E06DD1A1,SHA256=E35E8D5A7AB9B0350EA5F2E6FA2884DF6F57A66878FC653D4334EA57B58A3167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259587Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F479AD3314E444713EF013AAD969154,SHA256=4FA5CFB9A26B9E4FDEC307090525A5BDC566DE224E1563298EE02E05B0AA2E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259586Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:45.974{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39422-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259585Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:44.522{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-37937-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259584Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.501{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F944BFBF4FABC1C526085D6A2FD416EE,SHA256=D5B4D932C7624C89C5FD24F1CFA71E66FBFCA7B616504F0551B7D0CA2ACB64B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:48.842{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9314E6E679145B0C17C27B69F15504A9,SHA256=967834D602ACDA4140306A904E754265B3CAE1915FB0B7FF35271C59965298DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259588Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:48.548{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC6EF5313816D1ADC683A24D4BA1A6D,SHA256=F5D09CFAEBFDEBB273EEAEA5347736AE4EA50D2E6CC9DDF6227A06F96E5376A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:46.503{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59179-false10.0.1.12-8000- 23542300x8000000000000000296568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:49.858{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FD6F48F233ABBF5904A66EF407EBAC,SHA256=C9C6D794558DE0112AF23BD16B6266472998959345202F170718C2B407CE9D4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259591Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:47.456{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-40835-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259590Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.595{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E70B826C0D9A93CB1F8F56CA864FC4,SHA256=A55A6DB2B549BF1DA503624553FDAF330FFB8EE94BB54E55D511BACE3D406412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259589Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.298{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C3C22678F2F729D73500575F8693909,SHA256=A0D316BB579CF152045B781F4AC1917BCC613B855926AA6E9FFFE1D9FC334BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:50.874{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A57A43F16A070C1AD7D3FF54E10658,SHA256=D04F91088188E5158CB558B0254C7AD82EBB1E4B7178D6C4CA7E1375A5BEFAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259593Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.876{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21737ADAAD15113D2D1E12492907AE37,SHA256=5E506982ADE138D586FB8545F97492245F759522927888F1A5C3BF4B2637A59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259592Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.626{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8073173BC0878529850477BD7215AFC,SHA256=6EB169F31CB14CAF94A871C8180F3EBD3DC55B46F234DD30C78F9C9E4020F1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:51.889{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDDC1C5EF08189DE222FB7BC8AE0B8E,SHA256=0CED3776334ED09E346F1AB13FCB46D2A916550AE528B8E471DDCA981EFFB9AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259596Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:49.618{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259595Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:48.967{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42366-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259594Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:51.658{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290B41277C5C55385D0F32E1883E0751,SHA256=D632AEFE075EF910777F2FAD4F0E2A90DF09E684CD1C54C0CBE73B75FEDE430D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.889{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7C14EC20B94F9F166FDA4EEF572260,SHA256=C9DC8ACFDA67E5932216DAA931A3791D396587D42DCCB30B313E668073379A7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259599Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:50.429{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-43777-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259598Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:52.673{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792370B582E797E47619A5D91C4D4704,SHA256=0566711BA3FAE0C6380EB61293F013127E4E92379C584E974927A99D675CB816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.577{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.578{5097E253-91E8-6149-952B-00000000FB01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259597Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:52.236{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E19A1519A95B8FEAC56210E24F7F1F,SHA256=725F91E54B74010387ED455997CB5504B5895C337F5E0323D6964056D59F4C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.921{5097E253-91E9-6149-972B-00000000FB01}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F4B96BA1A1E56C61A5EFDDA58A3431,SHA256=4DA13579CF0F6F8BE014721A15E0AAA2673E30DAEA74AA18B11C96085662F227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259600Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:53.705{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CFBB4EC12F443C91DCA5A12381304B,SHA256=9B1BBE12D4EF97938E3F76CC5BE32C550B331EC1787F81EBD9D04CD00C02C13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:51.706{5097E253-483D-6148-1100-00000000FB01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:9c09:5653:1dd3:6a3dwin-dc-966.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000296588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.389{5097E253-91E9-6149-962B-00000000FB01}11526724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:53.249{5097E253-91E9-6149-962B-00000000FB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.905{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A452662206A3554A3F92CEDE38152CF0,SHA256=BCEEB4E522C8FCBDA8DEE444553C63141F196594E46CE0F4D2332F492E735B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259603Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:51.914{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45279-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259602Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.736{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0AD0EF4DF12311360634081B12E782,SHA256=D89A6E0A35BF554BBE596AA36BA3991E410F819AA4410690754B61DC68E940A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.733{5097E253-91EA-6149-982B-00000000FB01}38926224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:52.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59180-false10.0.1.12-8000- 10341000x8000000000000000296607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.592{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.593{5097E253-91EA-6149-982B-00000000FB01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:54.061{5097E253-91E9-6149-972B-00000000FB01}72326408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259601Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.001{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC7C4F6E355479830373DB09D5519E28,SHA256=9FB05C4A8ADBD5182EE529D94AF5664700DF0C5827B643471FEC26FB9B60753D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.936{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC1471346DB405E483A718FF049BE98,SHA256=EEFA5CFF4AB318367FF9085E94749093E2B18161F35DF60F368218AF226F9485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259616Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:53.552{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46780-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 13241300x8000000000000000259615Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000259614Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050007ae) 13241300x8000000000000000259613Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xd6f99c15) 13241300x8000000000000000259612Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x38be0415) 13241300x8000000000000000259611Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x9a826c15) 13241300x8000000000000000259610Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000259609Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x050007ae) 13241300x8000000000000000259608Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xd6f99c15) 13241300x8000000000000000259607Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x38be0415) 13241300x8000000000000000259606Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:03:55.861{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x9a826c15) 23542300x8000000000000000259605Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.767{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0BE762B731AA686CCDD877F289DB80,SHA256=F989BC86023677EF787A7F4181CEEC2DBA0F85442C7DF3D3690615F6B66AD7CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.780{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.781{5097E253-91EB-6149-9A2B-00000000FB01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.327{5097E253-91EB-6149-992B-00000000FB01}80845388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.186{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.189{5097E253-91EB-6149-992B-00000000FB01}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259604Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.345{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A75624490CD1631E656DD8C6D73A84,SHA256=B85E87A71A143965629D2E0B18D6FDAEA91A3C0A3F4D6D50A41B5F7147622D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259619Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:55.027{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-48363-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259618Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:54.665{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259617Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:56.861{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53895AD8380D4E76979F4C61A2F3683E,SHA256=056989204D3F68F14321324C5EC09CC4BE63F1272DC98D1A4082BA481671DEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:56.967{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EC329F7A785406CDC5596240C35CCF,SHA256=6956DAB713C4BE072B2EEC3B9F5B47FF8E175DEAA1DFA2C9BC05686D754BAA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259621Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:57.876{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04F66E44AF0D02565E261B124485603,SHA256=5F8D509157100056F16321763A93B8EF6307FC76B6CA7986D53FE9116FD47964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259620Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:57.017{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F523F3A170DACD34EF7A9EC3CC8AC3F7,SHA256=C9A752E645527903A83DF733E8BDDBC4C2F8AD0FEFCC3E595383F84E32353D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.832{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59181-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000296630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:55.831{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59181-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000259623Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.892{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4B8BC69F79D09CC5100CFE3B07B2A5,SHA256=4D0150B7F8583B61DE68DA0A0141C71EAC4E6E4AADFC7D1E581084748B9E35C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:57.999{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D1276A7FFDC57DE12EC2081366E15,SHA256=D169916BD07A4B466376CA32C8C7E3DB734167E5E02DA90D9A118DEEF165DD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259622Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.470{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4399E7CDA5D88DE3CCE07A9415B82873,SHA256=86B85B7BFE166F7E58B23083DDDF3E15073FFD6CC6A980ED573DF2AC8D9C84CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259624Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:59.908{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D632659D21EAB469D959DEA8A63C9D,SHA256=0559321ADA04FB3CFF126AB7AA231840F0D14228E37DC02DB0FEA03DAB05700A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:57.409{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59182-false10.0.1.12-8000- 23542300x8000000000000000296633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:03:59.030{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0E353FC228A79D9DB3A686DEF33BC1,SHA256=55AF50DC52A763CBA5CC2D7E1A2C8E2707AC9030A3DE4B9A03C9FF9112126EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259627Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.923{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A2006E54D27FB65A2DA805B9ECA906,SHA256=1C2CA24F9ACE6FA002128F5F1A00DC686C039C3A3A72E2DFCA321A9DF258543E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.046{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CE3B9799B70800322701ABAF7C1C6,SHA256=C207E4F8D14F6FDA5BFDFFB17BE9108BDE4769FDFD7F7B4ED5E25694636DF66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259626Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.064{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C55107D3119CB69DF0895B3BD0C4A6FA,SHA256=D4D337D4CB7D0E7AB4F466721D275177819E622B75B67B7755740C5222D33F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259625Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:56.569{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49864-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000296642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.030{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:00.031{5097E253-91F0-6149-9B2B-00000000FB01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259630Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.939{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694129AB7E9F6DB6B24070A3C23ADF5D,SHA256=77A3EF25CDAE2AEE4BF07ABB098F8153366FE609EFEDA87A33C9BA9B8540121E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:01.139{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADCB2B236501FBCBFF43A7649997792,SHA256=FF6967E42E698AFB6E5E39A87F72452CFCD24A65A72369BAB0B32106679D4D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259629Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.720{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03CE15A3F4802F0C21938CC3175474FA,SHA256=B7EA5E640B1F3235AA3F5383C8740AA1216088A41A6FFAEDBB19C1D57EC78144,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259628Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:58.025{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-51442-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259632Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:02.954{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A4C07F20B65D2FAD2735293BA61D74,SHA256=7F46FA5F1957AFD685C08C0A3758DAB04D0D831F61B8A768F0BD185719F5F48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:02.155{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336453C652BC7E443390AFF87D4DAC36,SHA256=D7BF9B6D85C1F7078A168F973CB46EF2853048BE1AF0EF736F7E05DA6C7381A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259631Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:03:59.674{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-53039-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.965{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C778CBE09D421DB94BDE209300D678EA,SHA256=1CB80E0FAA4266B0C44F107D63129A81260832A8820C4D43915E1C748B9A0634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:03.168{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4D4E124C39CE47DCF270E5D7AB6A62,SHA256=562A2B4DD9184AB4DCD2AE3090CC297093FB74D3BA47028387923C5CF8494C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259637Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.199{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62BA0AAD9D6FCC79F47FAEADDA3911F6,SHA256=DAB0F120BCB17D3793553902B261582A7268061D2EC714BCC5FD16FF20DB31F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259636Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.946{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com59020-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259635Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.649{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259634Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:00.446{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu52983-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259633Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:03.152{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A124A5B6292C20620A7ABB761E644DD,SHA256=B13201C116D47B14A99C7697465BB89B401A93AE41F977A6109128ACFB7023F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.965{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28F99DCBE938D2D87FECA6B47904FB4,SHA256=CCC5A2F93EC07187FC48B9423F68D304773973E0AB67D0397EDA0411A3E4FA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:04.183{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94450F13D4504B3A4792D4A4D790162,SHA256=D5DBB11B7531E2B9533542F75098699C8EC6A0D74EB0914B130D7580D26B7D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.637{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FB50E7416ABBE85E7EDC4FC945025D,SHA256=9C3C81991F8EFBDA33C0C1C54A201F16467452C9F17CAA627194A227C3716DD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:01.343{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-54745-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:05.980{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2409BCDF3A68378B92BEDD3D9782E8A,SHA256=3BB721F5A043CDFC3C34E4CC5947FDDAE8318A2972E57886252F6AB4F866C0B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:03.391{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59183-false10.0.1.12-8000- 23542300x8000000000000000296648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:05.215{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89AAFDDAB9A92F7ADE6714959BE492C,SHA256=6B578C780E3A8F6E760B761187BC20CD59B79C911653B97F9BF2CABFEAA05850,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:02.750{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-56157-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.996{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E9CA174D9703D882F51C3DED325FC8,SHA256=3B7618BAA9156D9CC8699C610F78B48D708F661C6D1309BF54896B896C1A402F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.168{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B904A412A79ED47BC45D31D5A18D014A,SHA256=1672EAA4031272357D2282A8BED131CB84CC9C487C4FD8E5B37741AC863810E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:06.215{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66553102A80E36F2CD146364C588AA35,SHA256=7110EBEC81A389BC45E63677143B6E2A887FF8B9B0FC440C4740E1A6B00F683E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:07.246{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC1D2303352A490A4E3DF74FEE677F9,SHA256=4B6FC5D0A5AC3936B816D4DC70BA60975591359F86A0E254499FC2ACD3F06567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:07.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C70499FF914988162EDE7C9202764EF,SHA256=1615F50675EF65B188BD0A73CAE6B0A77C190672D1FE12994F0FE402ED3127C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:04.195{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-57647-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:08.261{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C635842543BEB2D4752543DE187A0C69,SHA256=CB070FFFE29E5CDDC42264DE10AE8907D3D877944EC28FAAB57B991FD7C982A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:05.785{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-59302-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:08.012{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33368C913A44A8B9E86CFBB1F3453FE3,SHA256=591BCB26F9038E097F251743FF5C9B9BAA61335ED27105224874C0E950EAA96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:09.308{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D992A8C5B6F7DF693F50E744B3D4EE5C,SHA256=7C46A40B9659B57AEECF46BA4903F9549933559B55593C5F5FBDB3373E4776ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:07.198{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-1775-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:06.675{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:09.121{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5CAE54B383906E9AD36DC98D5F813FC,SHA256=421C300F9763AF48DC389E33F61CEED3E09AA92AD1F0310C2DEFE90DBE23AC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:09.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099BD70548052A6BD73FC938C7AC0251,SHA256=A4C93DBB017982FA1ED82F3813BDFFD2152A0AA64C3C50876B2D1AB346CCDB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:10.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7D18152F8AB61ACE129B851FF7407F,SHA256=DE954E35BBAA5C65DC45DB14C12066A29290831C21A222FD4D385C6D180C0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.621{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56856887C0D5F472FED6F894819D3EC7,SHA256=FD9F96F9E90B89F7F61A39C6BB9BAF55A2F6D2B6B28B377359FB5128AFD0341E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.105{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8C2D586F2F121F167D77072E716843,SHA256=9D4C20A22A6A8EFEBC7B7886D86ACCAD7726B86C52685660546DBA439868EA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:11.340{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79EF84359344B4AB02E8AA59323ECCC,SHA256=561F722E630BE36194F8E3374162195B65392148D0F7E975D91EC623DBCA1800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:08.692{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-3380-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:11.183{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF12FF4DE733299A44B0200B093CA9,SHA256=205D40B24194BA88C7EED8AE9523387B1626CDC9BC806DC4292EED1DDB23A6AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:08.563{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59184-false10.0.1.12-8000- 23542300x8000000000000000296657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:12.355{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEE63BB465720412D21A79E83B15567,SHA256=36194EFDCD25D0B100067DA55023E71054164DE468D2768A83503BEA5AC61542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:10.193{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-4939-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.183{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3101074A5C719A389175C88D0C6AF3B7,SHA256=F2D9D7FDC2A277BE20BB17253D7EEBBF8585999D54805AB770B78D4CBA8DAE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.058{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8E83E885DAD9832EBE3C87579E90C1E,SHA256=0CCA1D692A0A20B9BD024BA31E291F75A4601C9157E98AD105AE7C3F40F59FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:13.355{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A51BCE767A83B9FD33B8415CB8CADC,SHA256=F004851D15553A0D90A63A1AA8A9DB8B31E7CE11B5DFBCD4B2D30AC33296B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.683{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9160C3F6EB0F18516021178546E3E3D2,SHA256=D7B31BB0995D8CBD9C1D7F30A55444ACD367218014E796B896BFA4FDB9018A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.199{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AEE2DBDE043DE8E9FDEB7894F4830D,SHA256=9B2D4A3760942407E4B49FFE20CAA19AD4FEA2209B16720E84BA093F11130EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:14.387{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AC8D7B6CDFA0E49BAFA04031A29134,SHA256=D3E26C1B314B16BC243257572D6B3AF645D09CAD05BF51A44A1169257D79BF91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:11.719{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-6443-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:14.230{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFB72B654DD0ABF07A82F7FEC58CF3F,SHA256=74F11E409A06E53E68C3449F05B5A8D07418725007D415806289C677D50C3AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:12.550{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:15.230{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED64695AF4F082FD52C8DAEAA93AEDC,SHA256=62F360909E3D85EB80DC8E14BC079E209922A2A7832A44F49BE341B5FDF3CC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:15.418{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90495D0F2F2A7E9D1E63F55F698C4E8,SHA256=D281F4032B5D4B0FEF185F7DFA583EEDE8758468D5E65330D1E0D895D3E4EBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:15.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE38D8EBC508F8E8DC5CE49C664F49AE,SHA256=618BB30C123600C4E6A91E45F437C5FD4E19ED387B30709FC2FAD2820462E8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.605{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B938766D12A574DA50B94F5D4C12EE10,SHA256=6F3CB29A46F222778C66F3717EEBBF52E925257AF5C20815679C9EDBF66DBD15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:14.613{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-9409-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:13.238{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-7841-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.261{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA14BC15497FF95A06E2DA05677905C9,SHA256=CDAA08A7F39C2794F3E38942466F638E52BD5950852929D9D4471DAC71C3D1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:16.418{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3E69D8D7B0409704F2384C655EDF,SHA256=13456C3CC0570E1E80F4FD4238C8310C71794F51DE7F9970D3C77D3B67AA2287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.683{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B457315DEF36F12DC97E34DBC46E26,SHA256=AE23491229EE51DC92375C626866B7A4BF728CEB8038773800CD55A724A868CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.949{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8E1B34BE4C08A8A2FDCAECA7EBE79D,SHA256=38833153D18BFBD9A1E8AB0B6B014AF91FC96F6331F6EC6614C5C59895F0B49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.277{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDB41527E8577F452F2CB7D9460B033,SHA256=C37FC0752693E742B94B93652A88A914667861FAB3E0EC5EB6C3243A9B543898,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:14.469{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59185-false10.0.1.12-8000- 10341000x8000000000000000296697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.230{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.215{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.199{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.168{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.168{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.152{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000296662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:17.163{5097E253-9201-6149-9C2B-00000000FB01}5172C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,recordingC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000296702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.746{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AF1964D0C46F8E9F0AC4D0A1004774,SHA256=64261ABC2162FFA4F831A0F518F5870FCC086739CF602C4447F9BB3829A3FB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:16.158{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-10990-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:18.293{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9081E4DFBE348A4CF44E27F020540C6,SHA256=0254D68AB20A7967B7AE4B56E5D63C61B90D5087390D4DDB2CE9BF42BC251FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED12C5722A5A62B32589B96949222B46,SHA256=2E294F880FA2744408BFEFB20EA9D48FC4F570EB2E893A11B96D86F37D67D5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:18.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F3B317B34548C3E8911673B4A4648C,SHA256=7EEA009B46830CD490E25C0BD1CAC1C418818B3C0F9BC6EBF61F68158C7A147A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:19.762{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FE326E3ADB2CAFE9F9662E7A07E517,SHA256=F4432C13F8E099C49F17EC7DFC90CA48BDDDD50749A35141837CB76C4CFA3E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.480{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50B1D2A14487AB4553E20E4AC6C28C04,SHA256=DBF8756C0FFBEEEB901C497549A1517A5DAF6FBA3F98A6B44EFDB1C692A2540A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.324{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2CF6E87A16AA6BBD8C1442FC50A3CA,SHA256=843A91009BEC7F4F05BBC6BAB2FD3B5FE58780A17118BFDA90C86AAB64848304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:20.777{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B366B95873FC733C1D87C37D42EF5F48,SHA256=7684BB67F4C0D41275A84FBDCF3AB1681AC653A4B26C469339435396215671D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.855{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.856{C189DCE5-9204-6149-2A27-00000000FC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:18.613{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:17.582{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-12390-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.339{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94D458CB1A52AC88AA654E299798617,SHA256=4B616680DE0480794E563DE570FA0A9E779793544D18BD65AB79445331538ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:21.808{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41816259A05DCB76C0F0C66C1F383466,SHA256=EB4CEFC3C8A8029C1BE4BC571B336DA0D489514760B5B00954DBB75D89BD933B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.543{C189DCE5-9205-6149-2B27-00000000FC01}25523704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:19.138{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-13907-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000259709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.402{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.404{C189DCE5-9205-6149-2B27-00000000FC01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.355{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8892C722B44D094965E90E63755AA7A4,SHA256=B6C8F4BBB3B06E3B5B7C88E6AB56CB11849E77E6F5BAB50BB626796FDDCD99AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.027{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F9847EB40931F868C1C0D6DC15C854,SHA256=B9083934596A24A00ADEFF99093ACB9ECE4749FD149447287FD34792C1429083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.011{C189DCE5-9204-6149-2A27-00000000FC01}3768996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:22.840{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034735F406F62B06B2B4A7D59DD57036,SHA256=9BBBF00E7BF9EF291D0022D4001517420B7FA49D2E874982D2C9A52092508466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.746{C189DCE5-9206-6149-2D27-00000000FC01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B77AF0B4ABA0D14D139E3340F2C26,SHA256=91BE945903A220B37EE06C0A6372ED4EEFA888D181D63986A013A3F1F9424A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.543{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C75CCACF7621542DD7BB26B39409D3C,SHA256=5CAE19DC3923E2E28D7DE1D6FC555194846F20D3618E383F0ADEB6C3C998873F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:20.586{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-15342-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:19.484{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59186-false10.0.1.12-8000- 10341000x8000000000000000259724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.074{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.075{C189DCE5-9206-6149-2C27-00000000FC01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:23.856{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D9140EE4EB4250821615ED1B2FE141,SHA256=25F3F4BB2DAD49E7B5D3C9FC42422EBC402828F32A12FE816E26448E33679731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.794{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2080C250B74CF06900A28CB948792882,SHA256=57E3B5FCFC330BCA7F785A9D174250154F21863477B59F67B7FC767B24963D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.450{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A40D1B71A0BA923554CC49E20B73C,SHA256=D3016C247478A192E2F0BC2D7EB31682C36BFFD61DE22DA8BA9A3BDB8140BFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:24.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A858673A6EC43EF8522B782BDAFB1E,SHA256=17338B7661D1EF2F084CAA48C4128F74A4E917B6A40A94B87950655E13A6255D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000259759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.856{C189DCE5-9208-6149-2E27-00000000FC01}12042448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.622{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.606{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.607{C189DCE5-9208-6149-2E27-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:24.513{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C80C3F6498D0BD78F5AC1002A6EC3F4,SHA256=538D70514E72B80FE7BBF8794DEA6E29DBFB457E41D2144ED1D673AD71FCA141,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:22.100{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-16939-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:21.690{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com58361-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:25.872{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3BCD63451720033CFBBA865419ABE2,SHA256=1BDFF49096BBF0BC57D4B7ACAA306BF083B9B9FA607D36FE7FD1A8EFC634978E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.622{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59838F5AB01198EDB6A55880ECC29581,SHA256=CFECA01795D58597ECAC83E380DE81BABD1F0CCE138AEE168988DD191681F5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4F3EFA6BFC780517A4E4490CC8139,SHA256=159F079FA835443925A2470F526E28FFA92252AC633BE8F7C1A99E5EF153815D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.614{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000259773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.278{C189DCE5-9209-6149-2F27-00000000FC01}31843676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.106{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.107{C189DCE5-9209-6149-2F27-00000000FC01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000259791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000259780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000259779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-920A-6149-3027-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000259778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.591{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EAA139E408DAA1A142F3904CBAE2ED,SHA256=956CC24CE03B8EDF3D1E707402C757524BB28350C778C633EAFB96136C67DCBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:23.736{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-18528-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:26.888{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105DA3FF5696B23529DAE702D62E0F4E,SHA256=7DE386B4B6D5172B12C8944AD36FB08C5BEF9D713892EA59DD9DEC6BA745B021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:27.606{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46408C5E2BF84720CEE9E4A0AE8146A3,SHA256=1B9279A71DC487F4E8F0C0DC6346509A6D9FDB2DA8B40F22B2EC6E2F6E9115B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.403{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\TwinUI.dll+381436|C:\Windows\System32\TwinUI.dll+38153b|C:\Windows\System32\TwinUI.dll+37f40f|C:\Windows\System32\TwinUI.dll+1ee2e|C:\Windows\System32\TwinUI.dll+1e6df|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 354300x8000000000000000296749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:25.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59187-false10.0.1.12-8000- 23542300x8000000000000000296748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.247{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395B95A52935CFD8AF40DEB9DCD9A66C,SHA256=01A567DBB36D8A6418E5C7565E279AA8A94835448B6DCDAB8F5F1471597C663A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000259792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:27.075{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E536FAE99FEEE8526193DCA3593B783A,SHA256=B95764CA5388000FE53D1140F46A9B6EC9099B5EBFEA0169C1FA7E9C7F26E58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.185{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296740Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296739Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296738Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296737Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.169{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296736Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296735Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296734Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000296733Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000296732Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+2129ac|C:\Windows\System32\TwinUI.dll+b7750|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000296731Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296730Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296729Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296728Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296727Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296726Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296725Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-A129-00000000FB01}43164684C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296724Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-A129-00000000FB01}43164684C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000296723Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296722Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296721Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000296720Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296719Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296718Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296717Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.153{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:27.091{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:25.175{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-20080-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.606{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F6C69BB549F8747C677E95B46911D5,SHA256=1C211701481D16B002519DED4F784292BEC3563EDA0C33BDBDB83156D2581FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.622{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=743FE81033A4E356E69BEE96BCA440D2,SHA256=4FD1671B7801A319FD108F05883C394172EFCFBE82F68413239A8AC9614A99A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 10341000x8000000000000000296752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.357{5097E253-8792-6149-AA29-00000000FB01}48164120C:\Windows\Explorer.EXE{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+106d66|C:\Windows\System32\TwinUI.dll+fcc75|C:\Windows\System32\TwinUI.dll+feecd|C:\Windows\System32\TwinUI.dll+17f1e8|C:\Windows\System32\TwinUI.dll+1539d7|C:\Windows\System32\TwinUI.dll+253f8e|C:\Windows\System32\TwinUI.dll+37e6ad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a 23542300x8000000000000000296751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:28.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD4741B82AF9C4B23490A2365EA3BA,SHA256=29528670B2E8FBE5DD7161DDE1291A90EAF56E904D4CA2BF3CD640B0E4405328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.544{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C362E97FCB0AAEC54997571909C98D1D,SHA256=A99AAA6671B120AF82E1897D5F5ACCFB7D9BA274494E09EBAB6BC7652F455446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1F5514F8987C134DC964D46C1BF8B4,SHA256=26C9F19B7056E5A87009679496A12E62F934BB1E6D57855B5C3A1855A0F0B1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:26.656{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-21581-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.622{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F03FA0B32F5059E1D70927B58F90E5,SHA256=FCA5A6C6B143BD9AA6632C30ED4D2623FCD039BDD111830375CCB6BE951CD99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:29.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29D57FD9E5F5BC88E11ACD0BAE7187D,SHA256=0643DF2746363BA76FC7F204935F9B980A32F3D15692E8C8412F5F497924ABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:28.151{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-23074-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:30.637{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA3D5A4EEF18ACDB353BD9997BC0377,SHA256=952DAF0CB75BD73F15D2FF93045556ECA530C8D1EEF7F516C168968CC297E920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:30.060{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED84580A242397B9C58A4BB542B5485,SHA256=915BE46B5F05D258004F279699D6BE627D292F43D8CE92776EB104A28A031EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:31.653{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2F38C1C9A1B5027A2DF151AC7742A,SHA256=A17BA5F93CA92D1ADAE2EC00FDB062A0ED19AC3DD023F0F831CD62EC5A6BB7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:31.075{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604E25E51240069E56718EBF2D875CB,SHA256=226D0D4BB20B96F52565628889F56959C31F244EBD8B0E2D4D04F664CE88C904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:31.356{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9819AB8F22AC3BE8C0C251934E45F6BD,SHA256=5068E8788786C636CEF73CDB71CBC79306F3365580CB8DE8B97AFDF196BABA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.567{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:29.478{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-24544-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43861AB02DB458165389588411953304,SHA256=BBA034DFE2BDAA4A63568AD122910B930631FF522C8E3B142512ADF0C25545C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.700{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6292FE470FB939C41AB7CACDC247F07,SHA256=3EE7B709A995674E7A10E46A413C9C44DB19EAFB294E3CD4EFFE226AFB226900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:32.091{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77C9735C06399FE8E7EE56A877BA9F,SHA256=744629C551AD0B6153B237AC8C2D2DE4B29C06660B42D4B46F9A4F381491BA84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:30.908{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-25849-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.716{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF25AB54A835B8487032DF2BB802619,SHA256=AD4437FFD83AE30234180E56760B9ADEC90F483342725E0B3FCC86DC858C267F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:31.345{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59188-false10.0.1.12-8000- 23542300x8000000000000000296760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:33.107{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0C18FF2D3D14E6CE3346E0A9EB263E,SHA256=C62296400FB1D14FBFB6E22808FB096077E89B8F7A6A20D2C188E3122B443BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.385{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27422-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.384{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27419-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:32.292{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-27258-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:34.778{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD27D53AD2E3C229CC39DD650501503,SHA256=5FA520B4047E9B9A95C9A2FCE784B2E830F1886012B7775AD34093C9133CFCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:34.122{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5570AC947FD7039BBCCF6769345FB0EF,SHA256=02E434B762211F40F5C82F894BB78F1F8E84340AD1DE483DE2955955EA29D7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:34.325{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEE87FE0D25822A9B96A2DE11DC2895B,SHA256=0412D9E15D97EF269F4B4A9B698204BBA90809BCD9B92FF5C3018F3E38FF3341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.981{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ADBFA4614269FFA06F7C9B786346A1,SHA256=2BD443AF2821EB56E8C146139ADB602C87399E84E4288823B03731AB23B274AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.974{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-29016-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:33.957{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-28971-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.825{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B319D02CD4A194960D94272B4435E52,SHA256=BA5F1F0FD6B5A969E93521F8A3BD9E0FA173E80DB469AD6A74B790EE21215221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:35.153{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E067E659D31CCE44BB26B2062D25B1D,SHA256=D828AAC884C0D73247CDAFB3A3C2D7979EF9D2553320317A8620DA384074C81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:36.825{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B4C94326617857F52143BA2CEF1216,SHA256=1214BD9E36D2C57D6DDD831B481BEE39F6E2B99B9AED020609A5F5A28A495D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.409{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.366{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.329{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1371MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.170{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E69721574A3510BDFDAD05F817A0B9,SHA256=BF3AC4259A17270B1C8B1F64D2059D95B0D69219176CD257197F5FE801346A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:36.278{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55171E34D3DCFEF5278F7E8729092C77,SHA256=BE6C19E9866121B462F5E605F43F27777644E4AD883AD4E38B2D3872254262DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:35.703{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59189-false10.0.1.12-8089- 23542300x8000000000000000296769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:37.332{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1372MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:37.175{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDF4D110E1923839C27357E23F39E45,SHA256=81C4EF598486CE02C821148908C732B35D38F0578EA1A556349592203F7C44DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.481{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C825CF0EBD20677DA1AD427FE61F4288,SHA256=A9329C5F61A62564598F9122E17566A0E857BEE57D547627891D28AE15C5CFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.872{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6AA3EC2F648D62B0FA869C88FF5BCB,SHA256=F59554E12431416032287E4EED5D433878CA8A33BE007E9D1C3A9757F0BC9FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:38.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC61FDDAF1E784A57CD9841467D80818,SHA256=B8FB8D604A8807A262C15EC65CBB77C2EA002938B2D1A2AB3E833532EEC3CAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.754{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000259825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.580{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30604-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.549{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-30580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:35.535{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:39.919{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD25F7C5EFD0EA2954E73C413E57DB3,SHA256=6D82C301F3B1274ADF9B0EEB4BAC52DE176F874AE3D89477731C8859368054E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000296773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:36.476{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59190-false10.0.1.12-8000- 23542300x8000000000000000296772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:39.223{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A210AEDAA602F67203148F3AE906E99,SHA256=1C246565F480490544F1AF4050E4C6AEA4F3E5026414AF547964DB81F8F8F163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.112{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32200-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:37.088{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-32156-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:39.012{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79AC2CCFF2014830D66C3400081404A5,SHA256=9A9A82288957EF2EDEC84FEABD7F031633CB3739B304AA8ACB76E9364BC1FA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.950{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95150740322241D3442A8D2F016B3FF,SHA256=BACC2F46FE08A81F96C57BFEDC0E1EFCACAE572DFE84B2F4E947085C76415129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:40.239{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39613A5E5180FA685502BA5D2A4AB588,SHA256=4E8B521B3D86ACB2B125DBCD9395AD6CFB9C6381B5E2AAB58BC44BA537BCE6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.450{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4CFD3289A978AC17BDBC52B1C1E534,SHA256=A46D8F20002933A22D52A9ED153DDB0B5C7B04A3E1B574C53AB1FB1E93F5F8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.981{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23BF021486B7E5B1595717609084336,SHA256=F3B9C6CEB739192E9BD1F8588734957A543989DA288E604E9862DB43EED0E4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:41.270{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8A3090ABC10E1E86D4DEE2059761A,SHA256=2724EBBD763C895710C4137219636EFDCB1DECF93B38E4BA10BEC1965F67494F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.778{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DA47E4476913F8FEF9986EE7677164,SHA256=69A46E2BF21086DB4F1F3803778A9319AE97E31BBE393C42F54B08AED75A0DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.596{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33792-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:38.587{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-33770-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.984{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2C5AFE6A360027FE0F2072B17C00FC,SHA256=D61F1C7497C6D4B7F1788F0B8F98FB9AFD13EE1C4309678DA889EAFE6DA1837D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:42.301{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F31733C11D9B359E3638981411F713,SHA256=83AEFE5B226B36A6B96060D09E2202D99413D9DDFD13D6FE0DDE94321DE7D74E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.707{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50867-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.145{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35315-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:40.002{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-35184-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:43.312{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA812AEEEF98840F3C452DE165BCB8BF,SHA256=D55C0FAB2FF53589B72D3D9415DE4FB2DFD3FF86B8B16FE2F8C16174769FF88A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.661{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36908-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:41.421{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-36652-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:43.438{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1363MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:43.249{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9322BC9EB9BF33069AF525D0897494,SHA256=45B4EB8D2D781E86D4CE55F5FC9B56D5015274066BB9F17570001D8388CB1045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:43.139{5097E253-8792-6149-A129-00000000FB01}43167352C:\Windows\system32\sihost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000296780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:42.368{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59191-false10.0.1.12-8000- 23542300x8000000000000000296779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:44.328{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA99C767F62139D0E368AD5BFF425923,SHA256=54B78B7353D7FD631C0B82D19C4E330B432E0FF37157D238AFF18DA845F641AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.824{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A41C6C995A51A2D87FF1B4E3934512,SHA256=0245F1E223FFC5687C9E085826E9D26DA222F98BBD6785035A36F43729C89AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.452{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1364MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.060{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA259C34A0C1E68CCEE5A9D28CEBF27B,SHA256=A7089A555559697361CDE86DED67DB99F935BA09CCF0470FDC4E8DD4A64973C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:45.343{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060041186C5912FF1F9267A89FDA408E,SHA256=C7EFEBA00E08739CED594A78B70AEDD673EA7D5DA8F0610E28719B2D99DBC793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:45.077{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC51DA37EDBE0002D0E62319543F1F18,SHA256=6C747432EBB26348E69113437271B82C560E79587FB4551590AE4676740FBA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:46.359{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143AC4A159ACB841E0A1C2C125F388BB,SHA256=9ABE9AF271C5273631992CA0117EE86F074173B517298A69247CD4A0E5BD406C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C6474ED64C120545363BB683452FAF,SHA256=EBA746E3BBA4E22913E15D901276A2E7188EBFE0DDACB3CA4DCB80851107AEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.092{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89149E52CDC1899AE06C46CB1E8B6E2E,SHA256=C49A2E86114E001852FBC8F610C6C3914295814F5AE807ADEF5414E1CEF543A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.973{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38249-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:42.883{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-38057-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:47.359{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6031A6F46251699BD819479C8F17C2,SHA256=B8F96221274198D18BC39EDA52467229C7059352DFDE0B48822C3FA7F75EF2D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.611{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39760-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:44.567{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-39655-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.108{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5289B2D42A23723EE4849B5C2BF79DD,SHA256=EA1052821AD8C55F8DB98D1DAFC8760840D215B9F88DCB7D445DD4A24AD70725,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000296792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0508ab6a) 13241300x8000000000000000296790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xf61a1721) 13241300x8000000000000000296789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x57de7f21) 13241300x8000000000000000296788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0xb9a2e721) 13241300x8000000000000000296787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000296786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0508ab6a) 13241300x8000000000000000296785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0xf61a1721) 13241300x8000000000000000296784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebf-0x57de7f21) 13241300x8000000000000000296783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 08:04:47.234{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0xb9a2e721) 23542300x8000000000000000296836Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.625{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DFB154D18F1E6105D8300CEED8FD4C,SHA256=DAC33C4EE250193C8FAFAE10D6D1F5267AA2D0473852F5DB0D11AA657A99803B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259861Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.265{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41308-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259860Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:46.265{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-41309-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259859Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:45.740{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000259858Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:48.123{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6CDC48798AACB461953E09C4D21B9C,SHA256=6522BDDB73A9C4C76E7B55ADAE68DEF62A62E882B237CD542B5C0623827C7238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:48.123{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9515D18F712FFC3E0B50107FF634AB0B,SHA256=8C99EC1F90F5CC10E80AB24369922BCF0E1648E4E71A9D0D659D01FD7E35A4EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296835Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296834Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296833Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296832Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296831Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296830Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296829Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296828Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296827Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296826Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296825Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296824Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:48.156{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296837Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:49.640{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA77B61C3BCA3873C680552FAB79AFF,SHA256=7831B167C95FB50D0E7D7ED52B3ACA0CAA39DB76006BA0F8B7D5F2471CEC04F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259863Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.530{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B52BC3F9E23F621132DAC43778C2691E,SHA256=C80E0F3EE2FC1B7F5D898A1C87E188767FF509B675F3F7DC074AA2A85A3FBA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259862Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAE4ADB6CFCA525E36739CEB8581884,SHA256=CC8959A705337296B3FA96F4895721E19C2C77A6A2343009DFAC2924ED3B700F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296839Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:50.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39D222B4C594F53F9A137AB597F55F3,SHA256=DA7F366EC742EE2B87530A7949120C5616EABA344591E426E445C62EBF467515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259867Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:50.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DED2A659017931DFF55F85099065E4,SHA256=A100E00792FB0032B242EE9A6E3954B649AEBFC6C2458098F622F6EEABB23AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000259866Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.798{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com57264-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259865Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.720{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42859-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259864Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:47.702{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-42842-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000296838Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:47.535{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59192-false10.0.1.12-8000- 23542300x8000000000000000296840Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:51.656{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E34EE77AC0E43A2B39EE0C1DD57DB0,SHA256=2675EC578A7A3370EA18AA498E1E882744786151E6B8894B3A48E8A6B2DDD96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259869Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.420{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C50163AE1CE9DED5C07E103F54A47,SHA256=4F016002B8DF0A7D1B60BE94BE30B7E7CC4BAFF431CE80550956DD3C2D929880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259868Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.139{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=536CA7666F085BBC1A29ABB650B538AC,SHA256=8167125E517A4F23AB36B2AC93B8FCC035D1B322E542363978C0578F07A2717F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296849Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.687{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F179BA31CBA9E5F46BF942AFCA8BCD0,SHA256=26ED24F6BD375744B2EDF4E9FF939114BCFCF2DCFD7242D6E6C5CB58B3973857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259873Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FB29B5440FAF53D8E071876C293A477,SHA256=68CFE5A55C431B5D24A2B94233DF7C97CE9D71A42B4E50FCE9E84F02321E60DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259872Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE7B6F3C555CE5EC2DE05E7CC6D0624,SHA256=D040DE498388A1EC8C7B851AD6ED857742B3501E51E908E93DE56F5FB2A0C175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296848Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296847Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296846Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296845Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296844Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296843Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296842Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296841Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:52.578{5097E253-9224-6149-9D2B-00000000FB01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259871Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.421{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44596-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259870Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:49.247{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-44407-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000296866Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.906{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DB37FAA7FF9A34714EF281A3B39647,SHA256=87CECE67806FAE4789DA96D9C2FE154D7899189A8BBD2FF1865EB8DABFF2C9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259875Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:53.483{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE94D6661A76FFEE5BA79268D0E6EC85,SHA256=4C90C449AF50528E98BF89730F7DC24034FBADECB6B311EBD383BEE03510760E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296865Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296864Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296863Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296862Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296861Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296860Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296859Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.859{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296858Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.860{5097E253-9225-6149-9F2B-00000000FB01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296857Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296856Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296855Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296854Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296853Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296852Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296851Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.187{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296850Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.188{5097E253-9225-6149-9E2B-00000000FB01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259874Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:50.705{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-45922-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259879Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.498{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C1E6602EA63C9A4A186C33A7D7868,SHA256=9A81C53259FD77D794EA247CDB969EBEE3FB6A2EB3FCF2A82B39D924E6BCED30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296909Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.703{5097E253-9226-6149-A22B-00000000FB01}64405992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296908Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296907Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296906Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296905Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296904Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296903Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296902Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.531{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296901Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.532{5097E253-9226-6149-A22B-00000000FB01}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000296900Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296899Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164864C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296898Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296897Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296896Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296895Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296894Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296893Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296892Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48167036C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296891Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296890Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296889Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.453{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296888Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296887Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296886Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.437{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296885Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.421{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296884Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296883Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296882Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296881Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296880Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296879Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-9226-6149-A02B-00000000FB01}33124240C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8b85|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296878Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.410{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000296877Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.406{5097E253-9226-6149-A02B-00000000FB01}33124240C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296876Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483D-6148-1300-00000000FB01}9205536C:\Windows\System32\svchost.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296875Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483D-6148-1300-00000000FB01}9205536C:\Windows\System32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296874Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296873Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296872Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296871Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296870Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.390{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296869Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.375{5097E253-8792-6149-AA29-00000000FB01}48167424C:\Windows\Explorer.EXE{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000296868Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.385{5097E253-9226-6149-A02B-00000000FB01}3312C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000296867Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.015{5097E253-9225-6149-9F2B-00000000FB01}3841896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000259878Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000259877Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:51.042{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-46071-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000259876Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.155{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=097977DB1A9C5864D2D4942154AFE6AF,SHA256=15D28493829022AAFF17866C5112B027097059AC07EEEC6951E90D57B95DBD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259883Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C04AE55A7D88B9311D344C467A3A060,SHA256=7856EE91C95278D6B8DCD78D99371D2F5C2C95F23DF70597DD1F788EABEF7271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259882Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:55.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAEFE13D21F7E930A0F477FAC41FBAA,SHA256=789B0BF2C92A1D09A41B7E389FF3A5B42B526A1C0DEAD836447413309CEB5908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297030Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000297029Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000004498B31E84) 10341000x8000000000000000297028Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000004498B33E5F) 10341000x8000000000000000297027Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.984{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b52aff|C:\Program Files\Mozilla Firefox\xul.dll+73e84|C:\Program Files\Mozilla Firefox\xul.dll+12470d8|C:\Program Files\Mozilla Firefox\xul.dll+8ad21|C:\Program Files\Mozilla Firefox\xul.dll+8ac78|C:\Program Files\Mozilla Firefox\xul.dll+abdcbe|C:\Program Files\Mozilla Firefox\xul.dll+8723f|C:\Program Files\Mozilla Firefox\xul.dll+c2fb2b|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+1bb4759|C:\Program Files\Mozilla Firefox\xul.dll+1b5f3a6|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x8000000000000000297026Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.968{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297025Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297024Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297023Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.953{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297022Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297021Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297020Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297019Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297018Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297017Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297016Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x8000000000000000297015Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297014Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297013Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297012Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297011Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297010Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297009Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297008Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297007Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x8000000000000000297006Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297005Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297004Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297003Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.937{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297002Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297001Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297000Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296999Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.921{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.2.11509637C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296998Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296997Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.921{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000296996Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.2.11509637C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000296995Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.921{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.1.187520144C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296994Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296993Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296992Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9227-6149-A52B-00000000FB01}61486816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296991Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296990Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b5f85d|C:\Program Files\Mozilla Firefox\xul.dll+b6f7fa|C:\Program Files\Mozilla Firefox\xul.dll+b4ce69|C:\Program Files\Mozilla Firefox\xul.dll+b625a0|C:\Program Files\Mozilla Firefox\xul.dll+1a1a5c2|C:\Program Files\Mozilla Firefox\xul.dll+19205a2|C:\Program Files\Mozilla Firefox\xul.dll+191e8cd|C:\Program Files\Mozilla Firefox\xul.dll+3858d8|C:\Program Files\Mozilla Firefox\xul.dll+fb7376|C:\Program Files\Mozilla Firefox\xul.dll+fb6c0d|C:\Program Files\Mozilla Firefox\xul.dll+fb6e03|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457 10341000x8000000000000000296989Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x8000000000000000296988Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.906{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A09511A8B248A51CFC523E807AE1805,SHA256=BE584FED3F55E245C15ED2D35F38DA8A2D56B6FD27AF7E26F5674EDCCBF64839,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296987Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.875{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296986Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000296985Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296984Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82 10341000x8000000000000000296983Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca 10341000x8000000000000000296982Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296981Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x8000000000000000296980Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x8000000000000000296979Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296978Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296977Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296976Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296975Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296974Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296973Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.828{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296972Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.843{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.1.1875201444\1889276190" -childID 1 -isForBrowser -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 697 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2172 1e78d59b738 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000296971Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.828{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.1.187520144C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296970Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000296969Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x8000000000000000296968Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.812{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 23542300x8000000000000000296967Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.765{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A67F09A6CB3F4CEE871205731501D3,SHA256=CD24DC5D6190CAD0485B944550303D7E6E73CE3883054E1EC4543918EE7F9C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296966Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296965Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296964Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296963Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296962Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296961Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296960Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296959Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.724{5097E253-9227-6149-A52B-00000000FB01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000296958Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.718{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BC2E3FE1AE1047B3D277E784CBA870,SHA256=3987F9B79D26E069DD1F4E8B1972ACB4E899D4F1DDB9B30E2DAF91B35AD73A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296957Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.656{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296956Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.656{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296955Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.640{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296954Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.640{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296953Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296952Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296951Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296950Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296949Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296948Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296947Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-913C-6149-832B-00000000FB01}68727268C:\Windows\System32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+12932|c:\windows\system32\AUDIOSRVPOLICYMANAGER.dll+45ff|c:\windows\system32\audiosrv.dll+2a963|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296946Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296945Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.625{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000296944Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cache2\doomed\22963MD5=B73D477915D0124D2E49398EDEA50A66,SHA256=AF0AF6C7452AA5A8CFA70AD371FF0FE3C0170BE84E53C9F377C8C4CC5C3E97D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296943Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296942Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296941Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296940Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.578{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296939Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.578{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.0.161662067C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296938Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000296937Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:55.562{5097E253-9227-6149-A42B-00000000FB01}4180\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000296936Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296935Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.562{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296934Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296933Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296932Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296931Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296930Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296929Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296928Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296927Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296926Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+1756ea4|C:\Program Files\Mozilla Firefox\xul.dll+9fbc79|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296925Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.548{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.1616620670\1728258852" -parentBuildID 20210903235534 -prefsHandle 1320 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 244831 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1428 1e7ff162d38 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000296924Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.0.161662067C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000296923Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:55.546{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000296922Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BC2E3FE1AE1047B3D277E784CBA870,SHA256=3987F9B79D26E069DD1F4E8B1972ACB4E899D4F1DDB9B30E2DAF91B35AD73A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296921Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5B2D22AFD03D90F809C234B7428EDD,SHA256=11A58E755556D256E6513AE1A334E077F8E8F811E3FF34E9A46FAD7EC40CC928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296920Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.500{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED12C5722A5A62B32589B96949222B46,SHA256=2E294F880FA2744408BFEFB20EA9D48FC4F570EB2E893A11B96D86F37D67D5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000296919Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.484{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000296918Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.359{5097E253-9227-6149-A32B-00000000FB01}74687712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296917Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296916Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296915Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296914Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296913Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000296912Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296911Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.203{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000296910Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.204{5097E253-9227-6149-A32B-00000000FB01}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000259881Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.735{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47898-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259880Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:52.197{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-47537-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 10341000x8000000000000000297235Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297234Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297233Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.923{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297232Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297231Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-483B-6148-0B00-00000000FB01}6321932C:\Windows\system32\lsass.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297230Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.907{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A10C71A49B561E11E3470ACCA1FC762,SHA256=34C653312BB80C2E9D465DBDD74EB0DDD1DBB5BE4EACEC43AAE07C551F864841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297229Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297228Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297227Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297226Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297225Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.6.41327713C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297224Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297223Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297222Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.6.41327713C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000297221Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.892{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.5.27724511C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297220Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.876{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297219Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.876{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297218Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297217Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x8000000000000000297216Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297215Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297214Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297213Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297212Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297211Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297210Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297209Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297208Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297207Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297206Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297205Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297204Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x8000000000000000297203Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297202Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297201Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297200Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297199Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297198Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297197Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297196Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297195Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-8790-6149-9829-00000000FB01}2516208C:\Windows\system32\csrss.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297194Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.845{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297193Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.849{5097E253-9228-6149-A82B-00000000FB01}7684C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.5.277245112\1007150842" -childID 3 -isForBrowser -prefsHandle 4012 -prefMapHandle 4280 -prefsLen 7186 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 4316 1e7921b2938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000297192Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.839{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.5.27724511C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297191Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.708{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297190Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.692{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA170B81BAAD4B7C81C375FC408D4CFB,SHA256=A57A4F5D7E3A24E4ECEBC171B51A4B4608E94FB64176DE90CFCB5E0F92AD8C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297189Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.676{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE3B619C63C31BDA5C3824A0B9F162F,SHA256=E0518DD1E014CF2F2CBF778B8C891941A1C6BBBF962814807FE1E83C81D3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297188Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297187Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297186Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297185Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.623{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297184Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297183Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297182Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297181Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297180Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297179Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.577{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297178Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297177Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297176Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=0328245E8F5D6BC987C6685144538496,SHA256=9813055FB3E82CE974D6F2A7D8A6DCBB0879DBC98D840602174C9AFC90568BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297175Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=5D4E4BBDE04F52457A4E3E4EB25209F7,SHA256=59FFEDEA0674FA13DE1F920AE3AA7DBC375CBFA28BB8B7F1783ED6DC79A5B1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297174Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.524{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=80340E65A4566454C4247FDB04E934CF,SHA256=368B8E55AB17C3E228ECF7397A9EF4C533C20417EDCACAE6270A2123E51FD552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297173Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=9D93EB60DC97C82AD2E9F4E3463AD200,SHA256=35007C486644AC055E9519A7208981D415AA2058EDE779234096EE7094FC99EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297172Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=C9D8BF8DADBAE1853F39EBC3FBECD081,SHA256=FE9770A3AA08CD5BD42C0F306503ADD47BA925B630FBBD330FBB3B27A5303E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297171Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=188D79E1F278F210601049117B35438C,SHA256=29B5A11B1200BF084F0308CD4A3A959A58A7308BE89B5051DD2059FB91E0ECC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297170Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=91F58FA4B6A83D0E786D7C6C6351030C,SHA256=B39256DD11C0CD6566E6C81C7F0919B0681DA1FB0EF602CEFC5C705609AAA844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297169Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=86D734071098CFD62911A8FA9C87D6A3,SHA256=1049B7A6EF95F80D97547E5D8B154189E972EC26F27CE29874BA1E44509A5FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297168Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.508{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2216E19DFD331F1FF76C092321B56485,SHA256=650FA75C893FF6798F6022D4707F7C0CE1079C97C77FC702FF543DE4452A287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297167Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=24C8C77B00C2FC97F8AFF34C78A26FB0,SHA256=B23DC3FF21703FE7A8D3B42E9963601AD666BDF91C209D1D356386EACD107A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297166Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=CA44C2C54AE0B72FA1D43843EDF4306F,SHA256=30E5BDF6AEFCCBAF0CD0194E4F350EAD0978D1C668A35FB9EF3DB7A8A0BC1B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297165Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=07AAC8781B5C7A1D4D4086057081F10D,SHA256=D30543C0C95643B1B87E1324BB751CF43F4494EB934C41447EF00A4C57A99AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297164Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=29629223838B150D32066B47A37D7B22,SHA256=BD5F217A0FF45B6696BCB865E88F58B822747F19195062B0DE96D014191E5320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297163Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=7BD89D98295FAD91A797A361F505EF8C,SHA256=813A5BAD526A1FE1793B541F13FC5B54B9621CD6A68914D312D70EE59908F93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297162Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=D403884AAB8A13FDC77100D40F712E6E,SHA256=858D67BD4F9D40423569B63B1AA7BE2850B42173B4D8E6FA48A433A54273F2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297161Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=DEA94695AAB300A0DF65B6A37F79F08D,SHA256=DED66BAB1F3916D63C22296069165A980FDAF7825A40B8959D79758F620FDA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297160Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=35DA86BFDA8984A6D49A73C7EB60874C,SHA256=1A293527B40BD97DBC4AE8552923CD7D438B9C2CEAE9B1BD7B8563935FDCB935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297159Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297158Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.492{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297157Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2216E19DFD331F1FF76C092321B56485,SHA256=650FA75C893FF6798F6022D4707F7C0CE1079C97C77FC702FF543DE4452A287A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000259886Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:56.514{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C063B92E7719760454C65B71DB45E36,SHA256=21084031072B79090426BC9372ACE0DA119ED166C6D5BDE553CBBB61BC79A99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297156Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=6925DA2F4982C34937214D5D121975F6,SHA256=29D6F0E6E0C20364C830B256D6653EF62B14CBDF03B2C0CCB80A7A32FD56859D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297155Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297154Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297153Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=7ABFFE156CFCF61314ACF60B8B8CADE8,SHA256=D33B384DA2A6542D3F4892AAE6CAFCB2B769D867533F71EBF28DACA82EF68CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297152Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=3B525D20AB0FD94A6337A1305026B6C4,SHA256=1FFC3B216DD0B23F73D3E1F722FD7AE8EE9BDB41530ED924C6E01D085CEFED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297151Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.477{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\db\data.safe.binMD5=2C3D768B790EED2F0D1DC79FBF7D96BF,SHA256=378A5FACD0945C9ACCE71D3B6E0FD9859F9B272763FDBD2C8094EC1F334FB7A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297150Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.377{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b7b74f|C:\Program Files\Mozilla Firefox\xul.dll+1ab2937|C:\Program Files\Mozilla Firefox\xul.dll+efa040|C:\Program Files\Mozilla Firefox\xul.dll+bfb6f4|C:\Program Files\Mozilla Firefox\xul.dll+3136cd|C:\Program Files\Mozilla Firefox\xul.dll+399c9b|C:\Program Files\Mozilla Firefox\xul.dll+39949d|C:\Program Files\Mozilla Firefox\xul.dll+be61ca|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355 10341000x8000000000000000297149Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.377{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c|C:\Program Files\Mozilla Firefox\xul.dll+be9f77 23542300x8000000000000000297148Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.324{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE43EB95DB4E639E0A1563011983DEDA,SHA256=51E177280FEBB380EE4E36D23131A47AE58F8B458217E80F68F437847D7EA1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297147Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.308{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x8000000000000000297146Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.308{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x8000000000000000297145Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297144Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297143Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297142Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297141Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297140Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297139Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297138Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297137Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297136Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297135Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297134Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297133Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297132Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297131Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297130Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.293{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297129Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.277{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297128Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44203160C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297127Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297126Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297125Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297124Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297123Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297122Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297121Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297120Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297119Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297118Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297117Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 23542300x8000000000000000297116Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99027F90B51E70503307A871C1075772,SHA256=1E81553267D98B8AAD24E7AF1B20000B9BF816BD22EC11F918714D57CCF27573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297115Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.261{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000297114Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297113Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297112Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297111Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297110Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297109Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297108Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.246{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297107Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297106Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297105Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.245{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297104Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.241{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297103Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297102Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44205384C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297101Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297100Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297099Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297098Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297097Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000297096Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.224{5097E253-9226-6149-A12B-00000000FB01}4420\cubeb-pipe-4420-1C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000297095Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:53.535{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59193-false10.0.1.12-8000- 354300x8000000000000000259885Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:54.275{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49471-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000259884Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:04:53.815{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.20-49016-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000297094Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397D18E4F2341FCD0382F52D06816BB8,SHA256=2F786886EBB6BA2B287403A08B21D62A94D14A6BC7E49AF5852E2464BD2EC93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297093Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297092Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297091Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297090Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297089Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297088Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297087Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.208{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000297086Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9227-6149-A42B-00000000FB01}4180\chrome.4420.4.109945293C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297085Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297084Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.4.109945293C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297083Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297082Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.3.93426360C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000297081Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297080Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297079Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}44205300C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000297078Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-ConnectPipe2021-09-21 08:04:56.193{5097E253-9226-6149-A12B-00000000FB01}4420\gecko-crash-server-pipe.4420C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297077Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.177{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F30B5789114E63EA3E3CA0D94F440D,SHA256=3C69CE412CC6282AA6AD31F3DBB0DD5B090AC9FE0DD269CAD63044227A416A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297076Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000297075Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297074Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297073Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297072Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297071Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297070Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297069Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297068Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297067Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297066Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x8000000000000000297065Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 10341000x8000000000000000297064Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297063Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.161{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x8000000000000000297062Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f 10341000x8000000000000000297061Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x8000000000000000297060Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44206500C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297059Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297058Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297057Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297056Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297055Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-8790-6149-9829-00000000FB01}25162776C:\Windows\system32\csrss.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000297054Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-9226-6149-A12B-00000000FB01}44204848C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297053Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.155{5097E253-9228-6149-A72B-00000000FB01}5620C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.3.934263603\1130842543" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 6352 -prefMapSize 244831 -jsInit 1120 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3536 1e78f52cb38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000297052Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.146{5097E253-483D-6148-1000-00000000FB01}961668C:\Windows\system32\svchost.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000297051Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-CreatePipe2021-09-21 08:04:56.144{5097E253-9226-6149-A12B-00000000FB01}4420\chrome.4420.3.93426360C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000297050Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.142{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297049Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.124{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8459EB1D6CE112133358D0E349DD1ACB,SHA256=D7CE2B6A63F7B4FD4E68E0F424CE420657C0075FDAFE8B706E115EAFACE9399B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297048Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.108{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297047Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.062{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDD96DE91E3936F5D2DF6A23BA73B63,SHA256=E708FF3A464A9FEC90C8F8369189F0428954EBF9F4E4F412AF0CFCCA6BBCE1CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297046Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.046{5097E253-483C-6148-0C00-00000000FB01}8486052C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297045Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.046{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297044Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000297043Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x8000000000000000297042Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.042{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A42B-00000000FB01}4180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 23542300x8000000000000000297041Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.040{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD60CE0473182CF8F8BEBDB44B95736C,SHA256=3C1FF370CAD1B07C654F2ACF75DF7B7D2A37ECF6C0DC39F0D5287DF21C0556A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000297040Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297039Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297038Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-483B-6148-0B00-00000000FB01}6326480C:\Windows\system32\lsass.exe{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297037Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.035{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297036Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297035Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297034Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.033{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297033Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.032{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000297032Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.032{5097E253-9226-6149-A12B-00000000FB01}44207884C:\Program Files\Mozilla Firefox\firefox.exe{5097E253-9227-6149-A62B-00000000FB01}2828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000297031Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.015{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5C0CF1D0A3F8D41DBB530CC47CB028,SHA256=7FF9624C41AB8825630AFBEB4BB27917EA9690DEEA662CEE48F0C946568837A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.896{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59213-false93.184.220.29-80http 354300x8000000000000000297365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.895{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59212-false93.184.220.29-80http 354300x8000000000000000297364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.894{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59206-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.892{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59207-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.883{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52451- 354300x8000000000000000297361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.876{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local62513- 354300x8000000000000000297360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.876{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49696- 354300x8000000000000000297359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.875{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63240- 354300x8000000000000000297358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local64053- 354300x8000000000000000297357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63204- 354300x8000000000000000297356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.874{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58871- 354300x8000000000000000297355Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.872{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63309- 354300x8000000000000000297354Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.871{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63236- 354300x8000000000000000297353Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.871{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63857- 354300x8000000000000000297352Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.870{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60507- 354300x8000000000000000297351Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.870{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49578- 354300x8000000000000000297350Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.868{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local65200- 354300x8000000000000000297349Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.868{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58870- 354300x8000000000000000297348Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.844{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59210-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000297347Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.844{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59210-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000297346Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297345Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297344Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297343Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297342Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297341Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297340Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297339Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.721{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297338Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297337Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297336Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297335Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297334Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=389A58B23D79C07A11D5FFBCE3056235,SHA256=D317C6126B7D1832AE9A9155DE1F38D5C816226790ED9442F55868B165CEE8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297333Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=AEA41B2D76C79B6A133AF4C425CE0C2B,SHA256=56CE1EEFB867B18201893BF7669AA997F69C78D2EFBD902553D664F237439CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297332Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.706{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6857A4406C0ECACD916A3007A5C2A153,SHA256=778AE8D3F4E0818AAB63682D1715DD58125193E71B97F222EC6AC2135221D477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297331Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DFAE4C9D8900A794C9DFDE4404930786,SHA256=CCB7A34A1BF7172197D627F76E4C9E0328B777402A2B0A59F09A0A50A8A5051D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297330Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=9B365E8EA9A833CAC3ABEFE7AFF9E22A,SHA256=3A2C0517773855834A132E55421189A724EE88CA677F4DAF41AC1454711D35BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297329Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=55CBB0A6771CED8E0145F83053A0E86D,SHA256=3D7A7E394C5087DF66DEC4E81BF4A751FACCA1A7A71E21E5C95E9444E276261B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297328Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297327Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297326Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=AE6DD8668801AF061727B194D2640646,SHA256=54225B7FDDACCF805031517589C30E5F33BE6F8CCF513E6C1928B2D8CEBB4AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297325Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=332AF4DDE88918F3FEEC3ED060935A13,SHA256=A0025805EDC6C1872E1DAD7529B9D5652795ED013C86385B48E7E38F30E2300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297324Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.637{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297323Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297322Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297321Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297320Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297319Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297318Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.621{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297317Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297316Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297315Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297314Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297313Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297312Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297311Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297310Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297309Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297308Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297307Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297306Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297305Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297304Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297303Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297302Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297301Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.606{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297300Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.590{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=332AF4DDE88918F3FEEC3ED060935A13,SHA256=A0025805EDC6C1872E1DAD7529B9D5652795ED013C86385B48E7E38F30E2300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297299Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.574{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297298Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.553{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FA03997D7F51036AE9052E9369A8FE,SHA256=0ABC2C75C1105FBAAE25BA08F0C88F0CFB816A089FD00C9A4837660E178B247F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297297Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=AEA41B2D76C79B6A133AF4C425CE0C2B,SHA256=56CE1EEFB867B18201893BF7669AA997F69C78D2EFBD902553D664F237439CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297296Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297295Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.506{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DFAE4C9D8900A794C9DFDE4404930786,SHA256=CCB7A34A1BF7172197D627F76E4C9E0328B777402A2B0A59F09A0A50A8A5051D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297294Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.777{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59208-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000297293Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.760{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59209-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000297292Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.759{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61927- 354300x8000000000000000297291Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.758{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local51327- 354300x8000000000000000297290Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.739{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59203-false35.167.102.239ec2-35-167-102-239.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297289Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.723{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59202-false52.88.142.33ec2-52-88-142-33.us-west-2.compute.amazonaws.com443https 354300x8000000000000000297288Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.639{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59205-false142.250.184.195fra24s11-in-f3.1e100.net80http 354300x8000000000000000297287Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.639{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61515- 354300x8000000000000000297286Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.633{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60030- 354300x8000000000000000297285Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.611{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59204-false142.250.186.42fra24s04-in-f10.1e100.net443https 354300x8000000000000000297284Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.610{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61548- 354300x8000000000000000297283Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.610{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52349- 354300x8000000000000000297282Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.595{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49673- 354300x8000000000000000297281Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.594{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63129- 354300x8000000000000000297280Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.589{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59854- 354300x8000000000000000297279Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.573{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49541- 354300x8000000000000000297278Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.573{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63531- 354300x8000000000000000297277Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.571{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local49524- 23542300x8000000000000000297276Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.490{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAF147F18E669BE331B7BAA860656F2,SHA256=91CFCA77DEDCBDF815644343023A763829A1EC85FD0490718A00C037923CE9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297275Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.453{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\gjut4rsa.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297274Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.390{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297273Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.251{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A1520979CFF826AC744FE51D93C1ED,SHA256=06A66E0421542EF1A8AEA84E7828184212F40E461F58A5ED06945482C162ACE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000297272Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.537{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59201-false18.66.139.28-443https 354300x8000000000000000297271Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.537{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63886- 354300x8000000000000000297270Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.525{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local50771- 354300x8000000000000000297269Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.501{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59200-false2.16.216.73a2-16-216-73.deploy.static.akamaitechnologies.com80http 354300x8000000000000000297268Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.501{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61056- 354300x8000000000000000297267Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.457{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59199-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000297266Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.430{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59198-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000297265Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.427{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local52988- 354300x8000000000000000297264Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.409{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59197-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000297263Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.395{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59171- 354300x8000000000000000297262Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.394{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local61928- 354300x8000000000000000297261Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.384{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-966.attackrange.local59196-false18.66.139.125-443https 354300x8000000000000000297260Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.384{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63451- 354300x8000000000000000297259Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.383{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local63498- 354300x8000000000000000297258Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.379{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local60794- 354300x8000000000000000297257Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:55.378{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local58868- 354300x8000000000000000297256Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-59195-false127.0.0.1-59194- 354300x8000000000000000297255Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:54.827{5097E253-9226-6149-A12B-00000000FB01}4420C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-59195-false127.0.0.1-59194- 23542300x8000000000000000297254Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.173{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000297253Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:57.075{5097E253-9226-6149-A12B-00000000FB01}4420ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gjut4rsa.default-release\datareporting\glean\pending_pings\23054506-1e01-4370-95a8-bb4d28704869MD5=6A400853C57E3EB42E2E40EBF34E0DA4,SHA256=4AFCE34C96FBBFC52B6D916E865FDF3379EE4B4074882947733CBB8D234E2133,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000297252Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:142.250.184.238;::ffff:172.217.18.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.185.238;::ffff:142.250.181.238;::ffff:172.217.16.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297251Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297250Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.545{5097E253-9226-6149-A12B-00000000FB01}4420star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000297249Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:04:56.544{5097E253-9226-6149-A12B-00000000FB01}4420www.wikipedia.org0</