23542300x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:38.966{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84DB77C775D0BC81DF9E52447A41071,SHA256=9A6A930BE9F7BA4183723AA23EACC0A87062B78DABE3ED92933D4EBE1463D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258638Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:38.156{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB14861DB3530D731C1691A247C91CC,SHA256=6F012284DD2806C4181C9C778184C29ABAC79FCC2A79E8005152F9BD26A2996C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.982{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D0861AF0C876E279D58361200023BB,SHA256=FE7E363D19CCE819FE827B7B5E1E67B2007F9F53F48DB5C86B035D6D7E7B314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258640Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:39.187{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09688938AA186CF8C5FE54E1E49A583C,SHA256=FCE99DAE8DF72C12263902047AB9BD4C78A41FE3B5FF1C2B3258689093D69AB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258639Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:35.647{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258641Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.234{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539871F7FBA1284EEF717B3BF0CE48B9,SHA256=094DD22E795522EBDF357A5B1B111F0BF4A249E5E199B5246070403138E7E6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258642Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:41.265{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3103E809B3B6D914B39DA033FE4713,SHA256=A3EE2F485CE3F5F18CCEA4A39C45DCEEAF97F65EE7EFF3276CC3C4F993E0235B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:39.364{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59119-false10.0.1.12-8000- 23542300x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.029{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478AC04982573192E8BA809CEA5E80CE,SHA256=89C04D43C0CD0E6440AF3D7BBE5D57F8BBD78E32B38693DCA13ED897433A13A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258643Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:42.328{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3783C1AED0A1C490A620E2E2F7EE74EA,SHA256=15AE6FFF7418487DFC2B992BDBB2607011A836A91BED8F3C5CC961D4665F8FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:42.045{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D2DD87EBE23BF0310C855B05A2EA53,SHA256=393D0EDFE6A0A8CF512F66B4CC1C49227611E1DFE3DDAC0E9110A4DEE230140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:43.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4078E63184E04965E00A6798A431F4,SHA256=42E49FB0BA833404FB7F962CEA494D6C2496B37DFA04453FAF0E8AB804A029BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258645Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:43.342{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82246BF6D623037B9B77D17177FA4E49,SHA256=E1E320ABC4D29F93E7D472803E1137B2BA89DE9A425F61B2C13C0193DE852A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258644Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:40.694{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258646Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:44.358{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB83ADD53E6DC7EF0C507DE85DE9D699,SHA256=63C903E6B81AB608E141E7E3D79B88A18F4AAE70875E6839B65CB9205DAF8A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:41.934{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse60.8.150.197-62350-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 23542300x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:44.073{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C35B334C2BE1C36FC37528F0E9FB2EA,SHA256=A5EA8C14B96F68D72CB658602E0315AF243F55BED400B6DF92FC802CF845DC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258647Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:45.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1620D50EDDB95E85A4115473739E32,SHA256=2BA4742A496ED1C7D4152003E580F111EE37EABB65E7A5FFF35151AFB84853F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.089{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89601408B34621F9C94ADEF948FFFC84,SHA256=765724D9B1B1475D4825419DAD889971CD604D89C89892D495D75D334724FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258648Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6139AAC871DAA2929A7618FF2E91C3A2,SHA256=DADFF77BFC150E522A2F276E9766E289E24E1FB91B8A2F53F2FCE99ACD5DCCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD4718BB057B5E6A053944C7BD0925C,SHA256=357FEEB367532BA435C9C46C47EAC243F2793F566375D170DF4CD2B1A99665AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:45.408{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59120-false10.0.1.12-8000- 13241300x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 13241300x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0504178a) 13241300x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7aeb6-0x4349b921) 13241300x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7aebe-0xa50e2121) 13241300x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-SetValue2021-09-21 07:59:47.229{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7aec7-0x06d28921) 23542300x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:47.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2992656C48C3A21A9F31FD0073F67AF4,SHA256=7157D041C684171520A757B5112A9EA16ABD1C8706837886C8F432759E600AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258649Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:47.436{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF54453820563869087734F09F0A55A,SHA256=290E156D141DD84BA72D14533CDAFDD38A552585FC9907CEFF3ACF387ECDC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258652Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.452{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7925D7F7BC449B888F68430F58746F,SHA256=787237A595B02B2043E7239A51A906E46D32656AEC7C308DC6143D6D2467BF34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:46.712{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50806-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:48.151{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529B9E1AEB64BC6527E51DB14045A82,SHA256=FF2101D0E5B9BAB0FBF4A1B0822E2B8C40386AC3DEC8FC0853439226BFB63EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258651Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258650Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:48.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16322EF181B5362DDA14C402DECBB021,SHA256=BB2AF6910BE68AB299BCE9355BF3E100A3844413EC9B75E5A1CD153114072BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258656Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:49.467{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316025230F06715B474E292F1D9141C7,SHA256=1579FEF2823BA12E9B84B687BA1D784135304995859716A43BA4C6F802236C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:49.167{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023B3D3BC3DE841EE2B17F5D337A4315,SHA256=92A8714C1E6D148CA338D6868486DFE8763F3B51B1DD1CFF53335EF068B1A758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258655Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.857{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50806-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258654Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.709{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000258653Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:46.679{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com54159-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258657Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:50.545{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07461BCB7FE870315490B0CAEFB1BE30,SHA256=A3DDAA326A698957947682782F1CF00BFAC33D9995829B003607A5AC7B8425A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:50.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102AD9FC5A233F43216E7FAA6A4CC36,SHA256=09B7F975D422ED802BAAF13383E2299C186795471AA5CF96761B5B79A15246DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258658Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:51.577{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5922E5C5E6756B673CE57EC488F487,SHA256=EE060F60177318C74EFF7ACB15052C9D95E7FA2E2E14FADBDCBE822B38CDA3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.198{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2F2C9C5A1E1C6AF6C45399E7D47F04,SHA256=0E4C3628E6C0DCFCC64DC36BC7674CC3748D66307ADF81424D8342E8FFD6372B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258659Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.592{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F8164F627AE33F3898DDEEE48C47B,SHA256=658627F42DF5CD2E8D62A0ED9B3D7498A19E032A1786917047035C4A4996505F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.698{5097E253-90F8-6149-722B-00000000FB01}81523032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.526{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.527{5097E253-90F8-6149-722B-00000000FB01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:52.214{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1232AB2197A5CC76757B42CABB56D7,SHA256=2F15D00DC8460A403D9F7CA5610BEEA351FB23EF79B016A81421E24CD5F62C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258660Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:53.608{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DECED0FF351FE4593A74FD693421185,SHA256=6B070E76B3877CCCE01E574BC9FC7E0451A080E2FE1B7B2C4532581F361C720A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.870{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.871{5097E253-90F9-6149-742B-00000000FB01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.230{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401F3D96A2D57548E0E0E232F8612572,SHA256=785CCA4E724377B7711A9645F2880CD79D6DD2C35FA1D6A9471D1D30A1888AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.198{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:53.199{5097E253-90F9-6149-732B-00000000FB01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258662Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:54.639{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0217F9031191CF2EFF1A765FEE06700D,SHA256=2246484B7BF94614E63EBA4A206D900419B51B44FD00ACB0D66C5E6B3336AAC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.526{5097E253-90FA-6149-752B-00000000FB01}73967220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.386{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.387{5097E253-90FA-6149-752B-00000000FB01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1650716F4D17FA04772198A072AB68,SHA256=475981F4B04BE049775C7DF4E96305F94020571E74333B8CC0918B376CCC37D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258661Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:52.631{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:51.424{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59121-false10.0.1.12-8000- 10341000x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:54.011{5097E253-90F9-6149-742B-00000000FB01}15523528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258663Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:55.655{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477CA82FCAA6FE1D0744D197A206AB8,SHA256=5AADC7E75B6639932B81DFB657C86816FBFD3495021C69F9FD61408AE1D00AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.730{5097E253-90FB-6149-772B-00000000FB01}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBEE8474A1D2128D74B48AB005C9BE5,SHA256=4333A80C8CE4EA89FA76AAF1F0512B48B92D6419BAC61156A68C717C25EF09FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.183{5097E253-90FB-6149-762B-00000000FB01}62848028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.058{5097E253-90FB-6149-762B-00000000FB01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258664Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:56.670{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F599B9F1EADD093D9FBC6850C2681D,SHA256=A4FA0F4878DD15AC57E12412B085D87554C14EFC101479BF4F6677C5CC8318EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.276{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE527B8CB6D5DC6A0A5DAB0370BA954A,SHA256=B540F1EE015D3C9BA7D62473128568B87CBEB612992FB5440D9E427E88E10B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:57.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC7CE72A1399A938C87E88052365F,SHA256=1B8FBF415616981FC75CAC31134FB2C6C78A4F08E3AF144EC201222F4B6E3565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258665Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:57.702{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F9ECDF26916B76B1A484013E49B0DA,SHA256=A7BE8B3D187946863E5395D0EB94EE6A72E6B3305C74B5D400D838AEACF01847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:58.511{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53C0040036AD48DA1CDF4C8E8E2CE,SHA256=15372CFA80E517842C83353CE05FA651319D16B722524D6DAB8C478EB2D5B6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258666Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.733{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD9061C1722A39BFFB38B5AE5FF9C5D,SHA256=7A06E5602EA6BE02CC14B1871214C8254F41B2B702F3E2B9A99F32F3DBCC83FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:55.799{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000258667Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:59.748{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C09C8CE39BC34C4F3B42A3CA6897C9,SHA256=DC470BA227C9BD7AA2A46ACD11BCC8B2B780ED1C37E63589CC25F9DB56764031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:59.589{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA4538712D0371B401B7B5DDD29ED3,SHA256=4997216A63EE52B291E9CC4FD4F7BF186E9B55BD1C88920DF2242B9786A36666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 07:59:56.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59123-false10.0.1.12-8000- 23542300x8000000000000000258669Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:00.764{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14BD6EFC3DDE10AA7AFD0AC25111DAE,SHA256=233ED59FCEE17AF4598268CB4FC7EDF8DDC5CB19F6F736BE94A59472DB4A9D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA5D10BF5A4212F46961B9FD2750EF8,SHA256=6CAD947D28A807F4334C26C26DCCC720BEEFF5B0B8E8D5051F67892A4D7A2E9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258668Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 07:59:58.600{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.026{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:00.027{5097E253-9100-6149-782B-00000000FB01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE791EAFF505DF98E157A86D382128,SHA256=AFE47C724D7043412C476F5173782994DB6A27CB55928EADC4B031BC706B2FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258670Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:01.795{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37D4A6EE31998F021A4159C43BB3AF,SHA256=7B576817715C58CDBCDFDE631A4ECBE0ECF92CB4D6AF161A96CB9A8E5BC4CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:02.605{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB56CE7163EC7B13385477CAB3F9387,SHA256=8C1966E96AAD2B1FBEC6AC336A974BB46B1B7D740D61D8ACA3B5A7A2B31D0BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258671Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:02.811{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B984CEC8351D332A85FC2EF02E54FB8C,SHA256=8BCA50A51FCD0E85CB5FBE15E2952CB14B70CE77BAD99AC24A7D0F4845733C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258673Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.822{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2772712B5D0AB13DBE4344642D30F8F6,SHA256=9A18045696D944372A756E365EB06C5ABEC2C087F446D279E9ECE3A77136EBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:03.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F6778D5F4F66C609BA89F9D86C7571,SHA256=089D58581CDBF4345E5B4A1250F1D3DED97DC60723E5D078E60B3DF9115E584E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258672Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.181{C189DCE5-4A3F-6148-1000-00000000FC01}956NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D45A8B3AE5E1772DADB3F2888D3AB43,SHA256=875006647351913B7A3238016C0EF897EF31D83724458309032FA3E2874EC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258674Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:04.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0928B061773220240CD4F1C94AFF7FEF,SHA256=04EF51B9150A53C44F4E35E4516EE86F739DE9FF55B3854CEB43EF1E753F7ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:04.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2E719FE15F84190EC5BEB2A1B92E5,SHA256=8667E9539FF40EA7CDCF5882A39C125A1FD6F485BEB2CCDABDE10376D14DE23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:01.548{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59124-false10.0.1.12-8000- 23542300x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:05.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39203871078D918DCF9FED3F03391B45,SHA256=CFFC333850155E6297DA5671B42A2BB11AA70BD90CC4B81EFA4BF820E596DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258676Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:05.838{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F084D7BFC4A6102D97F94F86A6C6C016,SHA256=01637264866CDFBFEE7179AB36936D052A402D64A12441DA2C6E62455E5C4992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258675Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:03.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258677Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:06.853{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3C3214D196C87906E6E10239CB450D,SHA256=EAB717A2781FD7F1C30BCCA2F8A62F1CE041A2288169133BB039D637170EA038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48162508C:\Windows\Explorer.EXE{5097E253-8DAF-6149-E92A-00000000FB01}7104C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.725{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-8DAF-6149-EA2A-00000000FB01}7628C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:06.616{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97B2E2FE9242E56CEC6470D907FEF08,SHA256=E919628233D191169DEFF373B0191D905D0587BA507F0F6B51BFEDF6D82EEE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258678Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.869{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3486DB24EDAE499476A36F2A50DB1C6D,SHA256=D7E7029086D4D025C35E56E042DC76F4F40B1FE7A780E1045F85EED432864F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.631{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441DDC685D05E2AE55418C4F6AF8CAE6,SHA256=8CADC7B0028373F48F8861AFB82D5E9A9D2BFB1DC59BF957C203D68527D7AEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258679Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.916{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5880566A273F09D3B8973F1D98AA8AE3,SHA256=52D35080376D2BCAD3EEE4329ED28EE93CCC29F78BC7946DA261F8D45FF0B2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:08.647{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE02F94591CEAD4FA645520A5C788A25,SHA256=E3795DE33EB61C3DA511840A7E436884C3101F2208994CB07F43BCE99F1909D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258684Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.994{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE0E375DAA2DAC0C058AF02508C8C3E,SHA256=806DC51AEE02CF042F1FE3368917BA43D69884F4878B6CED143D34BF0D6372C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:09.662{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF44E80799558C422D1B7D4EF107AE8B,SHA256=FAF4594FE459691AB4352E4D5700BEAD847D6FCD90E07A959F0411DD32784FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258683Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.997{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50810-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258682Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:07.858{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com53236-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258681Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258680Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:09.525{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F779EDB1AA14EC5E2FA1F6FC5FC2792,SHA256=797AC3DED90B47483332CC16B69447B4F9DA4C789FCE34534481AC5BA9DFA101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:10.756{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1DFC1198F9E3CDC2E29A2282698B4A,SHA256=6B0DCDA79D9C8EFE38444AD7978CC26DF710311102B5658D8025A0404B2284C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258685Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:08.736{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.852{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50810-false10.0.1.14win-dc-966.attackrange.local49676- 354300x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:07.419{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59125-false10.0.1.12-8000- 23542300x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:11.803{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36538B0916828A9B86724774DB48220,SHA256=173B828A3657A017353C5AFD70F126E81E9B06E2CF0335DFED4A1BCF1DEDA898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258686Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:11.025{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204395344F30BFAF2EF146F36E58A06C,SHA256=6EC6ACFECD257B3DFC36801FDBE27C246F5C32A5CF4A1C81A28559A6AB769CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.819{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C81A8FBABA0313461A754CD10E255F1,SHA256=7DACE3A0E2ACDE58103AD6FF83C3BFBB1625E4A062596CC85C6C9AADCDF8DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258687Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:12.056{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BFE20AD2FBC6119685188361F88278,SHA256=6C22232A3F3FD6626CC0F91D166E51C4B6383C8DD0D30D771E4B2B54ABD2A9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:13.834{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B9DEBBBDDB99EE15A82BFB4A4C362E,SHA256=10F7095A77D473809489361719FD40A3CB08D1F5CC8BFE51B38B12FE12B8D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258688Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:13.088{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2135042E5326ACD886131C0717219D45,SHA256=470417440EE22CB45981D6F4CC100E7FCCF3C9D19C8C0870DE6493717E2B7432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:14.866{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F3B6BDFC55F05DD69FFDE9CF62E097,SHA256=16FF8AC329AD64966C4B3C269F9E299B0EC450E20E0E04196763A8BBBDA10DB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:12.528{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59126-false10.0.1.12-8000- 23542300x8000000000000000258689Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1FE4C64A5786A953DC8AAA2C5C7F36,SHA256=2B6E0B99838A9C621D143079ADB9E6C5C3674A7DEE4BBD33B5E6265676A55D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:15.881{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02109B8A2B524BE75D144AFC5BD730,SHA256=8F59A8345B47F67A274BDDFB65C15F95A8E98EF4539D1C7E7F093623EF10BF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258690Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:15.103{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03FF4A6BB689A25BD036066B0FCDEE4,SHA256=D51AE5257F42430821C76B05D613324E59229D8E1B344BAABD3B21FDAFF1EEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:16.913{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D186E412ED423BDD4DED480722943,SHA256=9963E55BAC459386D022D92436C3FFBE6CADB3AB210A2C984C1C5D27F1A2CB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258691Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:16.181{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B16872CEEE4A63ECD859A0C38AC4FD8,SHA256=65C9C74B20EEB703BB44036A9D257A04F7F636EA4B697186FFDA541FCD017CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:17.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C37C7A98670F1A92CEDF84F21D9C6A,SHA256=293FFB911EBB2E76B279658F70124E9C6A9071936E3934FE4E1B6EEB327C0C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258693Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:17.197{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B6D47815E961561AB2855928546E65,SHA256=77F78ED852B71E553CCD19959A931E64FC3C4973A30A59244DAC9422A80A3752,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258692Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:14.705{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.944{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C363FA4482654FC933534E03926829,SHA256=8AAC78F090ED94F68050A48B48FD46F4EAD31DB7CD3D094EE4FF24E643EE7164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258694Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:18.213{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83908EEB30160F15D0C996325CDE14C9,SHA256=9D5F9C4B84178872A121E01A37384246AD10F928C8A699A9AD9071E5CAB88C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.959{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1878E0B262473701B233D23BF58ED049,SHA256=5A89DB43C90897DEB3A27AFC9EA4D83B9C1D4CADC2D5F3315DF1C662921FB135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258695Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:19.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7FE05D5D5B6163AC8E7B30C7E76EC3,SHA256=05496B5DA0FFBD9B1189E3D3DBB8D0F8A27BB68DE404294C47BAF7CCC5DD01D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:20.975{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A92AB87643A9EF42A6D7F0C4289C34A,SHA256=511B42B0883381D447886A20A1D800BA3381FD5BDC3183BD7FAD2AFCBA223A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258709Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258708Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258707Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258706Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258705Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258704Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258703Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258702Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258701Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258700Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258699Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258698Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.853{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258697Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.854{C189DCE5-9114-6149-0E27-00000000FC01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258696Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.228{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C104BF1E6E346DCAAF74B58810ABDC34,SHA256=85DC21ADEA64FB107922030BEA4BDC8CA84737984A641BEA73113D6CA9EFD755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57118- 354300x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.499{5097E253-484A-6148-2B00-00000000FB01}3004C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-966.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60271- 10341000x8000000000000000258725Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.666{C189DCE5-9115-6149-0F27-00000000FC01}9123356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258724Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258723Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258722Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258721Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258720Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258719Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258718Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258717Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258716Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258715Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258714Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258713Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.525{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258712Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.526{C189DCE5-9115-6149-0F27-00000000FC01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258711Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.306{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CEDBB5B0BD340DF324A3EC0059431B,SHA256=FB59A2946F5806A2D432748682337D58404203842A7A09768BF048C7E19BBDCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:19.925{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57676-false10.0.1.14win-dc-966.attackrange.local3389ms-wbt-server 354300x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:18.512{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59127-false10.0.1.12-8000- 10341000x8000000000000000258710Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.010{C189DCE5-9114-6149-0E27-00000000FC01}3548736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258754Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258753Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258752Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258751Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258750Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258749Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258748Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258747Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258746Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258745Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258744Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258743Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.869{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258742Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.870{C189DCE5-9116-6149-1127-00000000FC01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258741Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.369{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7848EC97884270446BEFA62C78D6307,SHA256=44F6FFF7C30F3533FE8AC634FEFAFD59C0B94DB8AA7C711752C83B7AC6BE17A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:22.006{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F409A682F7979DC459FEC70168B99212,SHA256=298D08F4ADE8DBA54BF4A5BB4B746FC447ED531F189801ACAE6E97A284A4BD6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258740Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258739Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258738Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258737Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258736Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258735Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258734Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258733Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258732Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258731Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258730Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258729Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.197{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258728Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.198{C189DCE5-9116-6149-1027-00000000FC01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258727Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258726Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:22.072{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F933D589073B7285FD84F21BA80341,SHA256=949488F9B62EEBA9905C679AB2F8FA5B7385C656B8D3C7DC61637B97CE22C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258758Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.389{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B75709A4E2DC75575630EF472DBB13,SHA256=AEFA5758475C92B3F414B10483784260FBAB4B4CCC4635C20B664261B890E41F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:21.093{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50814-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:23.027{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570DB742F69A66C8437B237F502E3D9,SHA256=47B663F7D9781684EA748633D777F6A0DE4F30A9B4E9C5210B3E98B01E91E4FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258757Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.162{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse188.165.200.30ns3128168.ip-188-165-200.eu49580-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 354300x8000000000000000258756Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:20.704{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258755Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:23.202{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D73DE68B9C6D4DA46CFC196D0884DD,SHA256=D6BA8F43333896F02D81A24FA440084E6A167C8D8EBE326BD424834492186137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258774Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.764{C189DCE5-9118-6149-1227-00000000FC01}40723400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258773Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258772Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258771Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258770Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258769Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258768Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258767Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258766Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258765Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258764Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258763Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258762Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.592{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258761Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.593{C189DCE5-9118-6149-1227-00000000FC01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258760Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:24.405{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A33B37057EE7D03E85D823A14F82C,SHA256=48F022DD162CEEE7D71B334490C8D2052421D76893231B9232124B616E60EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.058{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA4DAA4DB345A86C0F0724ECF84DDED,SHA256=9B38A01568B764D2AC79131305BE3D3E80D3058492EAD69A8DEF6E65A6374542,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258759Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:21.237{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50814-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000258790Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A247F034EF4F9A238DFAA3FCF216CFCF,SHA256=70B03C7DB7E1D84AFFCA0DFB487F8A6A25BF3917F63948FBBAAB2B4EA17E4CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258789Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545C771E92F3F351461304CF4774E764,SHA256=AF703877901D7001A4528C8034CC515350BFE266C13A9028F9AD76AA17DE5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:25.074{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921188D96471CF60EE35B1833667BE00,SHA256=1927D075B13B170C73C886C2D45F571B7B2C9572072538F4CB64414881D019B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258788Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.436{C189DCE5-9119-6149-1327-00000000FC01}18403268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258787Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258786Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258785Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258784Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258783Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258782Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258781Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258780Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258779Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258778Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258777Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4A3E-6148-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258776Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.264{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258775Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:25.265{C189DCE5-9119-6149-1327-00000000FC01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000258805Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-SetValue2021-09-21 08:00:26.858{C189DCE5-4A3F-6148-1100-00000000FC01}964C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7aebe-0xbcff5058) 10341000x8000000000000000258804Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A800-00000000FC01}1940648C:\Windows\system32\conhost.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258803Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258802Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258801Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258800Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258799Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258798Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258797Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258796Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258795Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3F-6148-0C00-00000000FC01}7283888C:\Windows\system32\svchost.exe{C189DCE5-4A40-6148-1E00-00000000FC01}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258794Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4A3E-6148-0500-00000000FC01}408972C:\Windows\system32\csrss.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000258793Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.827{C189DCE5-4AD4-6148-A400-00000000FC01}40243952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000258792Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.828{C189DCE5-911A-6149-1427-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C189DCE5-4A3E-6148-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258791Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.796{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4384D16D8E580D0341083DFEC79CCFF3,SHA256=D28B887A0A2FDCF6561804C60CC248DD7F7A37917D1E13ED4503FA1799A3C752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:26.121{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F7872AF5C737C9E9C6B9480738A64,SHA256=FC61CEE2B4B978A11B230CABA71656E4B4217F810CA8E98803F1AD2869DA4BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258807Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.922{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEA733195164B530D36E265968FDE50,SHA256=B843E7906F71EC2C95491D56E9C0CA1C2B33258F6F06F0ED7AC28129EF26B701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258806Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:27.891{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D5E58286D628B404C23FAB45EE528,SHA256=3E753FC90F95AA3557BF5D29525CEDFCC6AED8D56EAADF283CCD3CEF33062A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:27.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F360AC8360613ED90470E1078FE47A5,SHA256=0A1BBB11521989BEB663CBA3383E683CD5F922317F954C44575AAE6AE35F0A9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:24.533{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59128-false10.0.1.12-8000- 23542300x8000000000000000258809Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:28.953{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADFA01C44877E42428E9B0641EA4A09,SHA256=FAD644B3BBE1E5901C532EB4289D6664DE66F824EF929B9518A4EAB0FCCCF798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.605{5097E253-483D-6148-1100-00000000FB01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D5419F56BC1EF8850247801AC99CB5E,SHA256=09681B272894EA725C4CBFDD659B562609D036DF5DF0B392237CE869EA72A9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:28.136{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3476A2A81332A82DEDB0394F36C4C91E,SHA256=24440BE8054149CE06056915620593963C6C953B27FD8F04945E413488F94953,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258808Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:26.553{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258810Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.969{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBBA802AE5EF1085BC9A5F90870E272,SHA256=AA79B51C06D5BB64F8926B3A68A11269289272C9190C1B7A89EF7286305A1D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:29.152{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113BA59F6A740E908887668C8C3A1D12,SHA256=4043B74272414615428A4988035F78E1A72DB7B43D3D13F6C3BF3A2560000EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.203{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\respondent-20210920083732-1367MD5=C21073DCA1576CE22AC5A4E69FD96783,SHA256=F5F956E130D4A9F749A57CD894297A9B03ED981BCDEA26A81D88FDB8A0904A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.169{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC40C732EECBA1CDAD676542E5ED73D7,SHA256=36FB648A998E2583A435454BD6BAA0CF6F3CA5D4A0834C2C33BA19EFD3C79A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258811Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:30.985{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E433AF506A9E7B635F1AF3EF2B8C719F,SHA256=019F746091BAE0683092DD85B3BCDEA0B5059C96F0B7C74461F491922CFF5F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.207{5097E253-484A-6148-2A00-00000000FB01}2956NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d13d3ebccc5368d9\channels\health\surveyor-20210920083730-1368MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:31.189{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17395F157A711013D5EFD09928D70178,SHA256=E9870F2FDB62C4FBD53A30FE5CCF4F535E81C42CA403E608EC8EF28AEA56CFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258813Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:29.241{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com52066-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258812Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.000{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F68A5EE519EB518880D76FE0DFF719,SHA256=86B13169A688D927AA8087354A02D15F0841A3FA39CA3109B690D9C427A12C64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.208{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXEC:\Temp\remcos_mod.7z2021-09-21 08:00:32.208 23542300x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:32.192{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DEE4B02AF3CA083378944EB43CE5F5,SHA256=4FD909A5F3FBE8BB50542ED17C670E09F7F31298D1108E2B0148155880A702BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258814Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:32.016{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D0BC3B92ACCF8D045DB4374345A723,SHA256=241507C206075DDB83C3099B5EC7FEDBB98FF8E34ACF176742F21B97D9520A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:33.364{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEF10E0659A6F8AEF5C9B9235F32B87,SHA256=FB5D1A0A0BACE7DE175A17C306D8FF1AA3BE11BFACA04B1BB082EF9CA2BFCA06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258816Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:31.725{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258815Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:33.063{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568B58150619801375161FE35FBF42F,SHA256=83069AA6FCEFF5AC43670C3667CCC9915EA7F4F749BED34F6AA3A9F17BF6B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:30.508{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59129-false10.0.1.12-8000- 23542300x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:34.380{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D576046F64B83A55BFCCA37453C173E,SHA256=A46E1771D1A8C2BEA4DC46C09116250F4118DF39E119BBE16798868615A98ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258817Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:34.110{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F76006585B612A9DFBC8350D97DF45,SHA256=4525F78D07E3A6E9E33EB7E733BAAD1670CF0F2D9471F65CF2EB552270649181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.395{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F334B0503BB2FCB71A59A957789BB72,SHA256=EBEF3340310C1EF9A905C2D6C9A1E5A7AF423259DEC3C7D3C23A112B7461EAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258818Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.125{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B25F312857DAD20A427102D5E3C29F2,SHA256=50699089BDB2DACCB8DA0014BF0EF449508F2B03BA8E26AA82A045A08D91C02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\eventvwr.PNGMD5=4310123299C0DE80A83539CC13497AEA,SHA256=82CB3CD93C41AC8ABBCC79FCE4B7A12B30694C53E8C0A80DD982C6E104D0EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\download_c2.PNGMD5=EFCDDB4CAF355DD94AD161D767A77E77,SHA256=76626AB1A7D570CC27703E45A386F8C4714D838FF05E8874710EED6B8ABA1E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\disablelua.PNGMD5=EB310408CE2C27535BEE16AF2EF03C88,SHA256=83AF023E44E17688D5FC9174E460F5A56DB3659AD701B01D52D8CE7EFED2DD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\defaultbrowser.PNGMD5=D7DBC4EEAA3F88ABBECF063EDAC65EFD,SHA256=0CB3B183066E70111472490E53428D5730CF0BAE1F1EB0693DA30CEE830B4229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\connect_c2.PNGMD5=0BEE1CF9D17446150D3957ADECA1CF82,SHA256=334BED420901306E5CA2A7EBC27F610355CB7125CAC1EFC3E4CA73300A20776C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\computername.PNGMD5=DB121942755F1513B8EA34C8AC96F74D,SHA256=E89D9606414AFDBF6DAAC4B3B672773E7A459BADAB4AC28E1943619A0AC6A9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\clipboard.PNGMD5=0BCE5E0CDF5EA568FE1AFDCB672D24A9,SHA256=F779E599477D58A21B56FC1956D8E185BD0FABBCB8961A53770EEE9BCA0D53D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrom_store.PNGMD5=DE0F8C01D8F793CBF1B4D6C4527B8E39,SHA256=AC4C444E26397FC561CF04F441C4BFE970D60A82C4398D11B624C08A40C21A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\chrome.PNGMD5=3522F023BF774BF97B9C47C89A3B1CA9,SHA256=5351C8DFB249D9AAE604CD7CD36B1F22E7A0BA7D6D2C522EF262EA466C283C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\checkproduct_os.PNGMD5=37FF921B67307174D9C2B3B1A5B8F74A,SHA256=A5CDF5FEC2DC9D08F0957EE4B89E7F6121791509E6C43130358B95EC43A102E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\audio.PNGMD5=B72D26D029577E4C7812297065A1ACF2,SHA256=14FEE2D3C7ED3F5E35CD13A600748F1402CFB8207D141E05ECDE33E198146D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.973{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\antidebugg.PNGMD5=FE2946BA88F7B07EC3FC21359B861BB8,SHA256=D411EEF7954D9196B6B3ACF6F4C0F5AAEE1C7E5EF97F429A1D590CC43ACB27EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86ED6DC08AA78225026C3ACEBA1AE691,SHA256=32E230B20541F9861783EC3A1D9E8809704494C73616B36A0F435792FDA293ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.426{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EFC3D521E7F4E1EF82FD178C7E64274,SHA256=D0A49028465B738B020F78A79E63797DA87A5D3FEBAFE000285E27952388B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1395A323315655368A8A2023C238BF,SHA256=4DF70E3D514083FFA52630316E79A09F8A384C7811D4F8FE87D0877BFFF51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258820Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.203{C189DCE5-4AD4-6148-A400-00000000FC01}4024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258819Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:36.141{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED37D320BC21F70846EF776FE32FCDD,SHA256=DFE07C53D5CF590A5CC8BAB0A9E314DBF9C2213B834B729A378F3FBC516C9E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.380{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.301{5097E253-48DC-6148-AF00-00000000FB01}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A06AFAA37B2AE5F74CB7C51BB252F90C,SHA256=9B8EB50003204431FF1B318325066DAD4C84972A0CDF72634F8A3A6C7B135341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.973{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307D94E1FFAFB5C6045C62A564CF3736,SHA256=56010C2EA90A4B1EDFDE2715A5B0A6A631AD8830AEAC8662570E6C899D3C8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.411{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E3533648C1666D24BDA8B3A0D7BA28,SHA256=24E870AAF82F4B686A6D328ED710E35ECE481628667B19D8675D898017A397D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258823Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:35.678{C189DCE5-4AD4-6148-A400-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000258822Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.318{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\respondent-20210920084554-1359MD5=66CDAD18033E13D0C35CA3AC69B52730,SHA256=7CB9DE9395FC1CB30838812626B3BC26C6E5C8120E907426341FB10EFD481E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258821Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.159{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F533D50FF13FF5776A5BB19C4E764753,SHA256=A62CA55EA8C5A2F47708394C951B659140C8D845C07EA12F0615E67614EC05AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.052{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics.7zMD5=1D304F91AD4B5B4390D0C5533E92DD11,SHA256=BDD4423FB108C205BED35302CF8C48B0EDFF3B49090CBBCF7FA7DD902159C109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uninstall_bat.PNGMD5=38EC19DD6B6E3A7D8F3DB020D01C553C,SHA256=E3CAB5294676EC473CFA2D6D6CD3E69275D7DA7D56B80781C1EC6D044871E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.036{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\uac_bypass.PNGMD5=B1452CFD7B184C4B863E0F9A97C2F85E,SHA256=28677CF719C4E8BBBDC2D0AC00B494894581E57A3487CC7B5515AA15DF1264E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\screenshot_png.PNGMD5=C1022DBB7301A8010355892510DA03A1,SHA256=EC85AE2BB87D20FCB223F2F39C5B866C558AAB369317FF6E9D6E991F7421966B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\regrun.PNGMD5=2771BC6BF2FD46253BB9025CFF3B9AA6,SHA256=EECEDE22F2815CB4CE3DB58C60994D9813B57E5326FD371DDC94534BA4C158D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.020{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\record_camera.PNGMD5=23914BCC65C5007287E5189A30875A36,SHA256=3CBC911BE8B8DD182F89BF150E361B620C131CD285BDAFB81F36F15D5774B8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\origmsc.PNGMD5=B53DBF593ACEF432507BD5823B18BD42,SHA256=85DB4C3F9AF32E18FCBA7054C6B2D81C6763A575D71B374968FB4454B4869638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\openmutex.PNGMD5=82E4B21DAAF15FF1367D5133D2460FD5,SHA256=FB43A0AC87555215526C2B58D0405B79006ABC70D6C117F74F0536FD8D2317C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\notes.txtMD5=837223B183FB387B786EA13826F0B630,SHA256=D2AAC537C5A5CD72481A87AE767039C9D6C070534F32D484B9245DB0DEC70AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\key_press.PNGMD5=1B909ACA120FC4287C85381F486BDD72,SHA256=933A9BE08882F9A0BCD77859D80D6464C4CCFCF91F60ACB2725313C7C7AB51C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\inj.PNGMD5=21F0FAD6A6DED792A6D3F904B237FFC8,SHA256=EC3CD98D0AF0CCC660911A1E90792465D655B15CE600F700EFC30661906B84F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:37.005{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\ie_cookie.PNGMD5=0F5C7A8AAF53F4DBCAE5CB32D07966A7,SHA256=4EB849517E805DD7D714A6B35BDDCD2D019A3F3C39F580558656D02781B8AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\firefox_profile.PNGMD5=2D2613692AAF836FF251998CB67C8EB2,SHA256=12BD04024F6339D471101A5423CBBEFCD0058F0C04C31A5CE006B1F1D6C3736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.989{5097E253-8792-6149-AA29-00000000FB01}4816ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Temp\remcos_pics\Exepath.PNGMD5=26590D43406AF7E7F59B8214A32283D7,SHA256=79FBB7693E8773C312E0AE6FF697BDA0C8D9A14EE744A11B11C964AFBF079385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:38.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CBEC9996AAA269B9BDD8E1577CA47D,SHA256=3DF7AB665E71B49CDDB1B01DA04A259A4B293D2DA3EA5D05DF934BB1A96F6E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258825Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.317{C189DCE5-4A40-6148-1A00-00000000FC01}1796NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-06334c68fc9dd1772\channels\health\surveyor-20210920084552-1360MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258824Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:38.175{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFA13D5A475BD6E4E4078A8DFC13C18,SHA256=DAFD13BA07861A2DBC93A3EC1EF48984E46094970BDA0E1CA6DAB3469EE0993F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:35.604{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59130-false10.0.1.12-8089- 23542300x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:39.442{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A22E206EE466FE586C5C8FDBBECC3,SHA256=FDDF983EACF4296E22FCCE120DF469D9CD7F490F8111FA0E5ACD43CF528280C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258827Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:37.634{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258826Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:39.176{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F87A47400162B0F0E98FC41AE5F6D83,SHA256=BCAAE3E69FEF3502CD101B44F2E39C390F9C506A7F2F97C1804BC85F596015D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:36.448{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59131-false10.0.1.12-8000- 23542300x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:40.458{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C7BA170060B29A0C7F421489F70F27,SHA256=B82CBD6F3F677EAFE3420BA5E167C8EE3F83881B61F8EE55A12B25C526791F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258828Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:40.223{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0DBC918DB04255B9CD2E91491EEB5,SHA256=52394A70C1709CEA25F20CB932092B40A9FD2E9367B9F204841C472D66D58B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C04AC57F064B5FBC8AC2341415F907,SHA256=0F9E233D5159E361F9CE4360B0D513B65CBA5DA88A90FB6DF7589C0D5ABEB665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258829Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:41.332{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B700AC399F712A9357955A0DCA236112,SHA256=AB2D83601811F7B9D0FADD3643BAAB426A7F002DBA82D4EC2123E5D74D062DC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.161{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.145{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.130{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.114{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.036{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.020{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.005{5097E253-8792-6149-AA29-00000000FB01}48166404C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:41.014{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap31747:46:7zEvent14784C:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.473{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67A65B1A1AE6877C268C245C5F257AC,SHA256=4390DAE4FAC79367DBC7FE8F8797D185F39C8FB06BC6C8A91FEA37F49DDDA28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258830Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E17EB2CFDCDAAE21F3B9108A0D4D86,SHA256=BD63396240F62A4CF20F4556426C2A85E942DB25DF138944500C31E9FA0BEC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2892C8B1E7393CD84240D3F5D103917,SHA256=8FC7F0C1FDBBAE1446C1839F4709AD6A947D5FC0BF953A8291DB77DEEC91FFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258831Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:43.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75EFC2291F8F368F2383860A80EDE08,SHA256=051CBFA6FFFB1B321BCC2E28C7A65E49ED10FEA187AB770DEABEB2EAFC84C1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BD29-00000000FB01}5136C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-879A-6149-BB29-00000000FB01}5004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:43.454{5097E253-483C-6148-0D00-00000000FB01}904924C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7D2AB2909F3EC60DEFF39BD23C8293,SHA256=6E82BA973CD629058A272DB9E3321BBDA1966EE43629174120E14CB8DA968D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258833Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:42.667{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258832Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:44.411{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB8569763FAE9FCFB88C824CD57DA5F,SHA256=5711F441D0A8AB84C383475BD9549C8307922F5058D16C59F9AEB921659339FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.563{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exeC:\Temp\remcos.exe2021-09-21 08:00:44.563 10341000x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:44.500{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9129-6149-792B-00000000FB01}3160C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:42.444{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59132-false10.0.1.12-8000- 23542300x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:45.750{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E45156DB32214A22A1D07C94D6C17E,SHA256=95FEC90D7686B75F5A7B9A804942FB041B35FC829665C2B5030491FF4FFB03C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258834Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:45.427{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80BA462DE44FBAB49EB900B9A80690F,SHA256=AA782CDA33A02A50D48F02FD923BCFF7C9AFD51EB66EA99A07F4EB14C0F20FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:46.751{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04274A029C0DC991420227247204353,SHA256=8EFA76C16DF378B2880F733CBDD59C4054247CCA523E3438F847FF80C342822B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258835Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:46.458{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4EFF64D6C704FCCA5CAD213AF25671,SHA256=71E76E59769D88185FA398E1301BA6252701E026029C6EBEF2723D8F3D48E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F0B5D84BF1A36CA0C0E93334E9C98,SHA256=71F70659821129907E52D4111F20C356B8B6AA37CFFF0A3450F1DA11A708900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258836Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:47.490{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08372FF7B8877C747DDE7E349C305E,SHA256=3385F220ECEFD64B5FFC29EE7D4B07A3BABDB643CE76B2AD33B30EA142BF0F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:48.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3C947345CCEEB04B825F524521ADFC,SHA256=EA43308F361F8C981D933AC09FB3D9D4D0E10A5A7224086DC12F77E9F2A221C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258837Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.505{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5C23EEDED5F4D6D8531ED5D8E0F74B,SHA256=6D8EA8825A037205C3FC1C8140A8DBF556498C6E872029EA550EF723A8366B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:49.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3C299A3776108A7F715A2A143AC36,SHA256=603F2FC08080FC38C6FB9EB835908E024480D3AA419505C9F74FA10A9DC2571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258838Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:49.552{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F4CA97D7CABEC5A642EF759AABF497,SHA256=98D30408C2F7D185D1A2D865E6FD86EE6FDCD5999B0588AFA379392C882A7EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:47.522{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59133-false10.0.1.12-8000- 23542300x8000000000000000258839Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.583{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DCA0666EF3BD5879C78EF4C5E1BAB7,SHA256=58EE271DAB1D09D1544C49CBF47113A322DD0FB3D1FF9292B0E42370B6052766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.891{5097E253-483C-6148-0D00-00000000FB01}9046264C:\Windows\system32\svchost.exe{5097E253-4849-6148-2600-00000000FB01}2872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000258841Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:51.599{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FE0173494493EA41641A69238DBABC,SHA256=B8E48644905B2D899C40C35436B2183CB5562DBFC828616448CF5DE57E80630A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.469{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:51.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693424E2A177BCA8BB9B5826E23A4F6,SHA256=DF861171F689700E23B8639B7274642B0DEBBF68629FD6527FA9E2CE48A30A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258840Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:48.682{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000258844Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.615{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A843F002D34864D154F0D7080AEDB7AF,SHA256=9F054252EFB66CF6323F25BE108D690A38BA5C313D451FD4233632E071CDB939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.552{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.553{5097E253-9134-6149-7A2B-00000000FB01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:50.695{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50821-false10.0.1.14win-dc-966.attackrange.local49676- 23542300x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.016{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4A86949D1D5AF8B4AA6BA8605BD758,SHA256=FE251E03040C1783BE62E174DAFC5E7F56D54AD08506344D37DA6DF2F39D9B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258843Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326B2668DCD8DDDDCB571325E7A3EB3B,SHA256=A8F319D828CC0D9F5F6CD32A1F2798BD80D63C959BAD5A2845F4D0198EF8258D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258842Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.380{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1417061F14742A0A3556EC26077154EE,SHA256=A396CFE8765BB6074BDCB72C6CD5321FAEDF7A88126BB532C0B6522CF50B467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258848Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52514C0F6D23ACEB7085B340A2963498,SHA256=B4C2F47D6A16362766044F99F0B7554B7633077F702178157A6FFFAE989AE979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.907{5097E253-9135-6149-7C2B-00000000FB01}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.391{5097E253-9135-6149-7B2B-00000000FB01}79167776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.236{5097E253-9135-6149-7B2B-00000000FB01}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.047{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CC57A6BCE0CE6FB775EEF3583D8A8D,SHA256=F5BDA4227B46077393C33A516886FDEB2A6FD343BA323AE47FE1980A1741B3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258847Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:53.490{C189DCE5-4A3E-6148-0B00-00000000FC01}6243592C:\Windows\system32\lsass.exe{C189DCE5-4A3C-6148-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000258846Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.840{C189DCE5-4A3E-6148-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50821-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000258845Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:50.671{C189DCE5-4A3F-6148-0F00-00000000FC01}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.7unn-212-102-35-7.cdn77.com51479-false10.0.1.15win-host-917.attackrange.local3389ms-wbt-server 23542300x8000000000000000258849Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.630{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B45398F28D244DD329CBE3FB619DBB,SHA256=FF23449926B13C2510A8BFB35433E97140DBEA881DEA7C2E37C7C7D6F133D19A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.719{5097E253-9136-6149-7E2B-00000000FB01}65927380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.566{5097E253-9136-6149-7E2B-00000000FB01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750B81126C6B3E1AC62774C7B809BD39,SHA256=774974DA3244C416245552457FB7F5A6E856D3FF1BEB409E5C9B610523EE493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0B84F9508418B7DAD40E1C772A1253,SHA256=F94A00B032CC4076F86B1E60B744331E69935774036250EB21CE2596E377AF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.563{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64EC6DE2DB665072CB1462D87A568E6,SHA256=2A55E6ECBEDB821BDB943A30AA941757D9FF4EB0EE4E26D3D482A5CDEDF3D5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164932C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164728C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-A429-00000000FB01}43844496C:\Windows\system32\taskhostw.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.063{5097E253-8792-6149-AA29-00000000FB01}48164776C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.047{5097E253-9135-6149-7C2B-00000000FB01}69007476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12924088C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.032{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483D-6148-1400-00000000FB01}10362268C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8790-6149-9829-00000000FB01}25164212C:\Windows\system32\csrss.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.016{5097E253-8792-6149-AA29-00000000FB01}48165736C:\Windows\Explorer.EXE{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\SYSTEM32\SndVolSSO.DLL+bf8a|C:\Windows\SYSTEM32\SndVolSSO.DLL+c112|C:\Windows\SYSTEM32\SndVolSSO.DLL+bb05|C:\Windows\SYSTEM32\SndVolSSO.DLL+7c7a|C:\Windows\SYSTEM32\SndVolSSO.DLL+1355|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 154100x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:54.020{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,soundsC:\Windows\system32\ATTACKRANGE\Administrator{5097E253-8791-6149-9C50-610100000000}0x161509c2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000258851Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:55.632{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4E6F14F6E9AE4D5793E1F0521E2FF1,SHA256=AE60E7E20C2DBB7CC40081250EFBF1F0042FCFF78566F169321DC1D7A631CADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483B-6148-0500-00000000FB01}416432C:\Windows\system32\csrss.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.907{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.908{5097E253-9137-6149-802B-00000000FB01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:53.475{5097E253-48E4-6148-DD00-00000000FB01}3428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-966.attackrange.local59134-false10.0.1.12-8000- 354300x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:52.824{5097E253-4839-6148-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50822-false10.0.1.14win-dc-966.attackrange.local445microsoft-ds 23542300x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A0E8E85A8E3D95EEFC47EF6AC9E6F,SHA256=2695089EB98DCD90BEBFF437BA2981AD3406B7ECF69FA472586BE8DD1EAB9A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258850Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:52.969{C189DCE5-4A3C-6148-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50822-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 10341000x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.376{5097E253-9137-6149-7F2B-00000000FB01}81122144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DD-6148-B300-00000000FB01}2592856C:\Windows\system32\conhost.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-484A-6148-2800-00000000FB01}2904C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-483B-6148-0500-00000000FB01}416532C:\Windows\system32\csrss.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.235{5097E253-48DC-6148-AF00-00000000FB01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.236{5097E253-9137-6149-7F2B-00000000FB01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5097E253-483B-6148-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5097E253-48DC-6148-AF00-00000000FB01}640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258852Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:56.647{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CACF28EC86C21829A64FA87DF6A2605,SHA256=AA33669426CD87D80145A469B5C301D9B79DC13FB889CED74F59E7AD322C2391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:56.688{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E91C2C0C7FADB9DA2109106C1F87279,SHA256=DD5D291FA3E7B239AB068B25CB8469B659B047C679C3EB2E631B22DD42EC53FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:57.719{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E148BD65B3E74460DFF4FED86D7C6643,SHA256=112588BE33E58FF52FA5EE1D4CEB3B4A513719DA122EE9A85D32033B659496BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258854Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:57.663{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50E3CA781C301635A7C808AE85D09D2,SHA256=94B6BE32A9762DDADBBE71F869238510C695A58BA133D1C42FE3EEA42DFD4D11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258853Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:54.637{C189DCE5-4ADC-6148-D200-00000000FC01}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-917.attackrange.local50823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.804{5097E253-483B-6148-0B00-00000000FB01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 354300x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:55.803{5097E253-484A-6148-2C00-00000000FB01}3016C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-966.attackrange.local59135-true0:0:0:0:0:0:0:1win-dc-966.attackrange.local389ldap 23542300x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:58.735{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A6C5038E425CB139DE5935F0EC804C,SHA256=42337A71EBBA29C9FD75E146AAC20D1B5E67EF82D6A347B126D9B5B461EE2BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258855Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:58.678{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6EB8C72F94E98FBD186B616BB1762D,SHA256=29F33050891EC4BE91FCA7D4FF63633E4CF44A39E6BB04C36C1BDD913CF2B5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258856Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:00:59.694{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FBD88B8776B565DDDF58202ECE4BFA,SHA256=B3D185F568A4B6D42D6179D3071F518AA7B65003F13D0C34B76C1C28E23AEBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:00:59.782{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58804FE57168AE513A2ACB688396C474,SHA256=1F7AA36D21308C28711007092BA8583AE4489850CD5A3CDDC65551A9889B7B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258857Microsoft-Windows-Sysmon/Operationalwin-host-917.attackrange.local-2021-09-21 08:01:00.803{C189DCE5-4AE2-6148-DB00-00000000FC01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BF1E188AE49B2FDE4698927EE94D92,SHA256=39385B05B035CF47A60D1B30AED655D52913EF8F81DA5F1F0EC8C8685E193007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295823Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.985{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795F8D30767BF9E9F0BE50C4790D322A,SHA256=CD14B7CFC77BA64729F28A2B018A44E740059A2D67512330BA019C44B6A6D402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295822Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295821Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295820Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295819Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295818Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295817Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295816Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295815Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295814Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295813Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295812Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295811Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.954{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295810Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295809Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295808Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295807Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295806Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295805Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295804Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295803Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000295802Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-48EA-6148-E600-00000000FB01}3448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3280DE0A8BD9ED096EBFF6B48FDCDB13,SHA256=12ED44B409477AE235C7564B47873A25CAF790019907716A1A52FF2ACB920F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295801Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295800Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295799Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295798Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295797Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295796Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295795Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295794Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295793Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295792Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295791Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295790Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295789Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295788Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.938{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295787Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295786Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295785Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295784Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295783Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295782Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295781Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.922{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.922{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{e6327cad-dcec-4949-ae8a-991e976a79d2}\##?#SWD#MMDEVAPI#{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}#{e6327cad-dcec-4949-ae8a-991e976a79d2}\#\Device Parameters\FriendlyNameRemote Audio 13241300x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}\FriendlyNameRemote Audio 13241300x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\0000\DriverVersion10.0.14393.0 13241300x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\DeviceClasses\{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\##?#SWD#MMDEVAPI#MicrosoftGSWavetableSynth#{6dc23320-ab33-4ce4-80d4-bbb3ebbf2814}\#\Device Parameters\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\MMDEVAPI\MicrosoftGSWavetableSynth\FriendlyNameMicrosoft GS Wavetable Synth 13241300x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localInvDB-DriverVerSetValue2021-09-21 08:01:00.907{5097E253-4839-6148-0100-00000000FB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0004\DriverVersion10.0.14393.0 10341000x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-9136-6149-7D2B-00000000FB01}5104C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.907{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-8792-6149-AA29-00000000FB01}4816C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1600-00000000FB01}1292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.891{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483B-6148-0B00-00000000FB01}6321892C:\Windows\system32\lsass.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}1292376C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.876{5097E253-483D-6148-1600-00000000FB01}12921320C:\Windows\system32\svchost.exe{5097E253-913C-6149-822B-00000000FB01}6804C:\Windows\System32\SndVol.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-0F00-00000000FB01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.localT1031,T1050SetValue2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Beep\StartDWORD (0x00000001) 10341000x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483B-6148-0A00-00000000FB01}6244080C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.860{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483C-6148-0C00-00000000FB01}8483568C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0500-00000000FB01}4161648C:\Windows\system32\csrss.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.844{5097E253-483B-6148-0A00-00000000FB01}6241976C:\Windows\system32\services.exe{5097E253-913C-6149-832B-00000000FB01}6872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-966.attackrange.local-2021-09-21 08:01:00.829{5097E253-483C-6148-0C00-00000000FB01}8483048C:\Windows\system32\svchost.exe{5097E253-483D-6148-1300-00000000FB01}920C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781