23542300x8000000000000000158755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.893{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C09D4B7A1639D01ACD3D0BC82028D2C,SHA256=F15B41B9C28EDE779D089759CC1A9E1A91CB483BE47C26DEFF310C5CFEECE744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.721{189417FC-29F0-618E-8001-000000000602}45404532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.176{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46013E6C085E71B3036C35FFEEAA644A,SHA256=3B587B45ADA4898FE0B30B14D4E56B8719476A20A91A58841921127F8A90161F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.331{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000158745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:37.107{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04083943DF38A63C1AE6C010B9AB539D,SHA256=EF62D41136DAFA57518876F802EDDB461BA5E359942B40048D3836021C878751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:41.189{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D29666B8A3F68FF2AB66CFE34157AF,SHA256=6BCA29629F14E70B44C2CA621623AD741626B4839AE604900B4F678DBAEA7442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.596{189417FC-29F1-618E-8101-000000000602}48444900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000158764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.361{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D7AC5B60226DE304692754B2B9D6D5,SHA256=0BAA9D32B23430C4E3D892FC267CDA0973265EDF67EBFD70539AD604C15CE077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B7337C6FF31E9F90BFCED50185F057,SHA256=8E388FB6D3553E672A060366DE03D4E4050E74108F97B1085EE1C7044989A60C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.716{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:42.204{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4DC017A56E0777BF96B6779001EE72,SHA256=FD85C13A074DE23424C6D38DE81C5D9208B95B52F7E7F1A3CEC7F44B00A99ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.314{189417FC-29F2-618E-8201-000000000602}41964216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.112{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:43.220{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DCACF56BAF909DA5C72BC0F46DE66A,SHA256=8D9BA50C21175B3B5FCC2401DB626666E5798145A232DC7256F3F941B7197F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.550{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.127{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD14CE93BC31CB6AB4A68E68B2976BF,SHA256=C7499DBDE8388BB09E1F08CFC0F0A9C2A011C23FD897A6FCF72E326973521F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:44.236{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DAE5667872B16439E17A553C0FA06,SHA256=6513C9C2465A50DBCB43C97B0107304AC79605BA98E9F2FEFBA6CFAE83BCBB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.564{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069159AB98AB67AA14058844A965D621,SHA256=EE0018F0DD431FDD50B6299550927E0605E00241C836D4C720135EE9B23B5257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E6DA13DA0B8972DB9C5E9ECFDAB79,SHA256=19AA2147AF45F771A88929A11F46547950F03371D0FB4371BEE138EEFA551A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:45.251{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA441589288ACDF67ADA6B35C8C2B2A,SHA256=9356C61404A42F87680C6076A237A694BF83B9F747B159521CEE1A43EC6F9B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:45.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A95CA67F60168D3632ABC3F82E6CD7,SHA256=309368AF10A80422B3CFD3A5535BF862A9F4A8D07E2E375F8F0FFE4B4E96396D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F690F06715942332FD0C54A336D68FEB,SHA256=43B0AE108D4916892BA700970D3E5CC4B8446BE2ED864CDD5B68B4B9929F522F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:46.299{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B3095638E172D11A114FAA3942158B,SHA256=2BB4D62E900EC15D1EDC55CE13C697F174EC2EF62940CD921D5432793377BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:47.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D7014806043833EAD3A99620B5EF9,SHA256=F5C0705CFFC47267CFFCA739ABD6C57A0090DD5ECB3764CE82B3A43DB9938C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:47.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84B0EFAA27A03E76D9A7932BB458528,SHA256=CD378013BF4952DEECA6D492BDE86200F2C52F1348028BBBD5F52D4783954C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.658{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4BBFD4BF9D8A5CAF9EDD23F0E19BD8,SHA256=E25A56B7AD9254A70A03DC0443428FE79305FFD6EB1F7ED31CC9A98D7BA6365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:48.283{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80D3DD0FFEC97FBCAC7F498F3419C51,SHA256=0B6565B8966EF4D603F821AACA623B02D2F17002A56F4D13EFAC3A133DFB7199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:49.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A42FDFA1DD4F982078E225DF2A07878,SHA256=00C4C5FFC83305152A554523C02F5555B272C977A81C69AF17F723EBD9800FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.397{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-027MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.285{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9329E8A8CF7F78971EDEC7B9761F9F3,SHA256=E4EB67F6BACD4E94A358168E9F20D467029594A8FC80C3512C916ABC08A5D5A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.575{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:50.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA286BCAF103709FC0ED13E5D44695E,SHA256=9CC794D50006D13D2C053BA671EDD25255A0BB3B8331942A1C11D35288482D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.398{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.287{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A221C3D8EA32735637411074E3C7DD83,SHA256=18AA8A53AD21270914EB21A40899A7E986770F07A9F49FE833D32E7142D83FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.154{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:51.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FC38A0F323691598CE4841978812A3,SHA256=6D0432C72AAFCA1129B5CD8590861BB257C01FFCFE9FC28A507EBD9F07B67D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.303{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D9CF0EE4B4927EFD42C02B66BEB54,SHA256=2876695E8C50A2BE7E067329D8A09B620703961F28D18461AE7746F3D00A523D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:52.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389B30515345DC9962B5D6DF085F384,SHA256=C8DA5D6F12639B8B5AD5AAFBAF9ABD64BA02FF9B5F645E935AFCB884237FD246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:52.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295CC0BC8E3BAA75F44A8F2798387CC0,SHA256=7EDDC7EB4B75C8E609B32AF354BF1545D6705A93A91F5909B418C41FAF2FB38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A864F22AAC98FFD298DC92D33D0C9,SHA256=4381142CE8E05A310013977C6673E01B8CD986684B22D425C2F412C7C5DB280D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.658{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:53.381{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10ED4D3A7CFE67818BF0D6169D8F494,SHA256=4DA4F803E6F607974EE26F30AF720FFED5468C31D3922ED4F225D5692CF234C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:54.830{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E181CF2E707F7F6BD08CC000F2C6AE85,SHA256=3F9813A59EA2B31E3990C6DABF2D7D1F0F61CB26CEC3CA67D54C16A053A1D89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:54.412{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722249F40A509514F84758E0EB741A2,SHA256=87EE78B1EB0F1A242876A8AE15FA7730A58C477B5033526809E324EB35C6599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:55.521{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2949428E3B1983A1D8018BC9E3425,SHA256=2A4B1CA082B001F9764EFD606926E38268A7E714467D2EC52C786E3B4F16DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.537{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD0D4DC8EE8268874037F570AB29945,SHA256=080E91B5D72A551E0E7C9F85E6326EF2414D98C8E4D281A2A3766E96D2E0FA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.248{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:56.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8459A5408D9EB99A689208524A178B,SHA256=885BF35FE5EB42502FD0E5B0B5D33BA8641716EB3E4153155838B3460335F3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:57.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5770218BB5DFC1AAE47518DF83F085,SHA256=E463F1B3E5D918A6261C351054BAC2B996F0323C6EFD85EBDC74DF501D6D129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:57.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3F349A228FD2615B2B2DA6E507D70,SHA256=964E6DF1EB0EF35C2C2747B28F7B6B230B2F3F855D97F3B0500845F6D5869E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:58.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF71C0D0426809423EFF9708AB0A2B3D,SHA256=BBDEAAA071251B1D1452B3BB5C3A7EFDE4A45FF7FE5B892EB34D66484A48EED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:58.252{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0420EB29E8C3D65684B31087643A905E,SHA256=9492D233C977B06CBC6266140D19866F3529CCE1A0D2691A0AD8EF12CD030EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:59.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882982284A0084C10960B15F90D74AEE,SHA256=0315B510E198B0E9BA80B6CB6B2E011B3811FFA01F4533E69BF1B535CC2C9C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F88D5C88B6D3B039B58943CA9C075C,SHA256=8F9D74813B80A6699650DED18560F8E40FB319D6F69ADF7BCB47CAF8DB1905FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:00.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF1CFF23BC2C9ACC565754FAC6FEA62,SHA256=FD2FDA56C87257B0C5CC2D4B5CB48F2F71ACA4BFA18B86237A73205481E5C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:00.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B118B8B4D450ED6DFBB54E8FD94720E6,SHA256=3F79A8753580E5B91587419A79530937E72ACEE89BEBFEAC0B19D568B3796D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:01.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B41450EC585EDA115E2FC3D2F18E9C,SHA256=4CE686CA4B36B2A09DCA60E0B000FF2D2860E25469F0A0DBCE1FAA804F36A366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:01.705{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940073731243303C1E7CEF4F2FEA3DF5,SHA256=4150A29CC4E49193BA8E1F8023B0A2634563FF3E50E7BC1000899CF0B702F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:02.721{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA3F2CB79EE30582EAE52D7BE4191CC,SHA256=86670F512D6128A6A3CE359A09147E8BD130BD3239FE57880D03528EDF4ADE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6E9B2757DF0349F020E783A84B8753,SHA256=50D96333B8CD5E977F39572EAD04739709035FF1F806EC872A7E47C517636F31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.201{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:03.752{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724E389D7E138304F26AA57E6B1EE6ED,SHA256=B59F55DB08BBF4325045363C3214EB7AE9FF163D49D276DF8360458F26596C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:03.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B590D3BB10A5BFC2FA699F079118DA,SHA256=97BBD55392AED134485D30FD9DCD45DF88763A243EA7FD5F3C1EF563C4154B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:04.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D198158D27A4C5BBFE83E9D8511238D6,SHA256=E1CBA06974F9109B759817E77875C2BAEC1E6278681842F78FD5A8511A962600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7375F7D161EDC2641943E87DD07B0E31,SHA256=226CE879C01E00FD0C79EDEE3489A82881ABEBF5BC59E76FCA2C4F87DE2D4B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC494B9FAACCA3EE92A7E372F7DB70C5,SHA256=3970B6633F5FF66EE10C3B76375FFF08DB2674304F55C2101EC461E7A10A04A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:05.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02A288D1AFDB156FB015126D6FF81E1,SHA256=5CCE076C0412FE8318762CFF70CA355719D4D1F430415BC8760FA3C3D53F9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.615{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D92744A99524A0DA4F955BBFBE900218,SHA256=FA4B8EAA5B8D2C20209E0E7FBD0A5B7F753031BE2BE620DEE2072D3BD737BC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.582{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:06.924{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499D07D460A17A105CBBF6149533F4B,SHA256=66AB7C734E62FFF2C1A23E1D3CD59687576C46000E1E93154F27DDF16AD5E112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:07.957{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550B064E5229373377E4A5E727CA32FD,SHA256=5EF3D1A2250F005842D6AE61A955DB8D19FCFFC3C4E5E447696B522789612428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5303C019E4AAFAE8BFC90D7CD053899E,SHA256=398B60E0F2C6AA204D7B82EBFA53C656B790B6E709027F0D87BFFC26CFF29A9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.963{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394374F0504289857D565F7FCFE1C54,SHA256=6ECAD540124D21BA3002763F3E2C9CB059569820A9AA1CAFC9DEFBEDD89EE672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:08.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D87FD1A1C7C1D434A45A0AF21CB59B,SHA256=886B24E91C5E748CEA4E405FE83BC64A2C49DD2F18AA42D479702FE2500D5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.682{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F03897E78B201BB00D24920085B5676A,SHA256=9F9B897F26F788281FC84A2D57BF3FFFE86590424D7A2A88B0C4D30A4A8F6FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.040{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-027MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:09.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7386CFEF9DA09FA64BFC9E2B46D9D24,SHA256=F2AB7AE286DA4B7984247EBC2DA363D69592703F4FE64BA6ED6B4E496D4A179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:09.044{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.013{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6811B159643F776FE03C20C2023D0EF9,SHA256=99CBEBD331CEA87FA9E905304DFC87CEC44DF1C72D7209A1464023C7AA473481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:10.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2E85344D04BF1F33C9CD76F7F1C9F9,SHA256=E39164561902B788E64C49800F624F92BD72D63D3FAF8B11CC4D28742548E145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:11.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D6C9BB0B3E79A394DC3F3CF44E843C,SHA256=F8D6C7A0611C09182C755DDD726FDAB399580E54DC820062DF3BCE53468BF9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:11.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25871D9D393DB6DE4D45CF49F534C3E7,SHA256=F99199F77951B4D74663CDBC1C7FAF176567B40285C061AEECFCA8EFFB0422E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:12.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F6BB7B1B5D5F6D159D184182AACDD0,SHA256=B6CDC825277077ACD33449254E2BAA4BCE1A90C3F93D098F254A3D5FFFD6CC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:12.295{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39F8555D6AC07B8977EABE974FCB63D,SHA256=C1CC06F850472BC2FE2E3DC8504086BC557F67DB007A60E3C546AEA45BD5DAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.212{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:13.310{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBA193DDF4F0DE3A5C8A5DF5301B149,SHA256=9C411490AC1D55FEACB0C9572DB089C52B7C65529DE6D6819DCB497168DC2894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA03BEC8420BEA83FDF8550BEB37E35D,SHA256=E08DD1D9770C4D6FB2EFC771FA101A3FE217990E100BF79DE82CDC60F317FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:14.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959BBEE90D739DE94FB7AD17E2394242,SHA256=BE50AA074241690E8123B72222DC5AD26278EBE02CF5C805400EBF1ADD98F621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:14.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE6C7B55C9099B731D93F4D2101279,SHA256=7683DD17F35FE0027A399A48186192EC6C538441ABC7EA3B79FFDD3110A100D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51F611AEB15BE5143D2361EBECF90AB,SHA256=ED87D709316069B3B0A3ACDEBDCBDC6BE9289C26FEAE23E1795FEB2C9A28C160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.225{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B54C917C87DA047748489C91060C6F,SHA256=622747A97F97A57160E5C19138AAE2B7043A7174398072C03E7557FD051D025A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:16.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432A39449E5B025F785C8BBD2227B1D5,SHA256=3B52D3B0A9EDD866AE4C57ED3B7D51D73C837660C9F5D0A1CFC602441DF3DE71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.768{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7455D2954D89B521D6151E694B3861E7,SHA256=4D149E6A84B961B12E589A5F6070BDD46C2D61EA85F29E34A18DFE2E5573A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.225{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:17.685{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069AD00A5902586FA5307CC29B009527,SHA256=005E56E5337D2DDB671CF7D229E5556DF74734262BB638A5267939FB7902DC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.804{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.490{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CFFDC481229174E9465E4EF1F53B40,SHA256=D8B9656721216F2752D806381CE1D8E9489DCD804FAE5DAC508740AA1475B1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:18.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20DA9CBAC1F34134A8C636EAB323A6,SHA256=E905CB753F75A76FF98CE44832F274642F84E9CA8A43ED264B362F0F035C8201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA8C81C8D6932EC4687914E32BB651D,SHA256=786EFE1144E6843AB47BF9497A9892158B5E2157D57263449F3D1E773D729153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-2A16-618E-5B01-000000000702}1880512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.663{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EF42D228235BBE9A8FBEE3B782C656,SHA256=3401CE3C8AC0D92E71F27A53C38D06D6FAB2704609C8186C75F5F447B63F9CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.752{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000158828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:19.951{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8495BEF5B646C97FBEDD1E5B00943B8,SHA256=CC72B06B2D5C19128679BED4C1FC37B55B9512C29A06867075DE4BD562D15755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.335{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.022{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D35531D7651B8836BCB71579AF50056,SHA256=3B5E3A38AEA11FEADD770C300F659DF1C315C4B8BA5B8A40EF840B6F0EE79C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.014{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC1D8213481E397DE45B2B379108BB5,SHA256=66B580B65227B28B9D145D0A47C0AB9DEAD28B8A442E3282178C893CAECDBC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.835{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.611{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.287{147D18E0-2A19-618E-5D01-000000000702}37083344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.132{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.115{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23067763B465BE50448412EE22873E56,SHA256=AB24A42C276A1C96FC90A046BB466F2326F7F527D2D8316B4CED9DD0846212B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.045{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA273DF45CDC62C8256649B69690097,SHA256=4243CB73B05A0E18E305F430A3C5DB306216B1E1DBB3760CAC04D26FCF7AD020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.662{147D18E0-2A1A-618E-5F01-000000000702}40602836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.507{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085C81346A4B2F052113D9462B2966DB,SHA256=12C5E407645B20D0F219C6677589C2E7FC7A22CA112CDCD8231BFE83F0FFC4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E45C4030B0E21D1CCFB94247CB57C7B,SHA256=70716189DC2EC9468C65643F13C87C8D40F1970D962ED5DCA11CA0673D23CAD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.006{147D18E0-2A19-618E-5E01-000000000702}35523696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5BC9D6ED073268788AB918B9EE2900,SHA256=6C6F83C0B3A4C5F548518D488B4F20220A59D93BD151E81175534D9AC3D43C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3701E72CC84BAE6F4356F056E809481A,SHA256=D5CA088D41C6E9D943DC6FA17B655058900299D84D1E3A2E5B853F985031FA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.357{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BF83750CD7A04D87C3C9821FAA7EDC,SHA256=86FA242C76E5C333FE5875088D2E45A7361E188662D03D99D18477DCAFB066F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4426C9E49BF10A442D0807DA918514DC,SHA256=FC326811141A7AFD321034213B8C62401CAF3331AF9254766ED6A597BEC21EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:24.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC6F8D56BD61BBA11D1F68F7AB27A3F,SHA256=C02058A5F03137B549D9C057C346C862E2A53EDFD1DCBC2A76C50FBA46139BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.304{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D89502B9B94D9D362A5AA5D969A477,SHA256=7546FA88CA7266B65DFF8B48DFFF1474EB415FE61F98D599D4A428427E0D05A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.365{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EFF8C144769E69AE2489FEDEF21FB8,SHA256=1EBF22CC0444D252B0F23FE8EA1345EC983095E70981EAD828037227866EFBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.369{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000158837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:25.139{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8EFD855E97FAE7ED1FEDE12A40B274,SHA256=E579C2621E495EFC4F80375CDB85D11B31DC453DB3E322192F6C72465111817F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:26.443{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A21A89ADCE572FCDE341DB8E3D34A,SHA256=2C2815B378B0CA7ED5E98479F941B8592B8876D5D935B068C892ADC9F00CEA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F5BECA95783182F346D117F0F2DEF7,SHA256=6D7D55A081C65CA1A4DE7DE1343595BE23286C876BC91D0B4EDF044866B3AD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:27.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C868B8AB00A8FA3408256A746A9036,SHA256=70CCDF391124355A9C8131C52A867217E3B295E90149AB2E5B0479F7B604589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:27.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81B9FE61CF4A93C6AF4BB18769817C,SHA256=48B895E8284E28D10A1EB809C07C7DB8A53149666FAE588643F05FCCE2107894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.720{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:28.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B53F6283F56F7B2F8A86CA1213456C9,SHA256=4CF7C731BBE44ED2172537150DD8C5ACF2F7FC9F6E834E26AFDA1A40CB761281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:28.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40E0F34F3D7004CFF04EBBCA6807A7B,SHA256=E5E8626D170D0EE09249E87F4F8F7630C66A9794610B8AF6D1EF4B5463A3E2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:29.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C3BFD96BD424F6DA671476DC4EB547,SHA256=C66BE067FEA65495B1A52DC8288294BD95E33C72C911E0710F4FA7288ECFF28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:29.185{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E629280630ED0A434D12D522F56C8AE,SHA256=45B7C5B73A568024D7F9AC275990BFC9BDCDA410EF4BC944977280B07C47C2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.662{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D0DA09570979F9B15177540FD2DB80,SHA256=EB9773D49EFB947FA0BDC6B47408C3F4E2C2CF74F33A122C44C6B182B4B34427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:30.201{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211C54AAB9B8E216CE4BBC04953DB1D3,SHA256=7520FAC93D7A65EA47196556008329A4F427034735C4748E77A7C7C3E341851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:31.678{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1733F75EC590091C8B0EE5DCDC832A28,SHA256=43359E396515FE5B187C7D3B60B58963A5F9113EDBEF2DB8D1018D8B9180F9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E323E6D92087722802C4CA933BE9AB7B,SHA256=7736E822EDFDCAFA37276766F42CB9F0D6A256877475A136C1155CAA51E5972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:32.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EE040934AF47E9E9E813F53EE255BB,SHA256=8817DC4039AFED2F771385F752D316F212993BEBD71BC48FBB8F8B7E4C7A220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:32.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D395328FBD5931DA1C94887A0FB76772,SHA256=30750198875509A5772671BA45C8E1367DDBD35DBE5FC47D8E10F8CD98BCC36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:33.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AC4C589060759E5E2A7613C08403DC,SHA256=82FB15876CE31DB38E6189C76E13ED80A00877452309BB90FD6815533587174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:33.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FF4692009EE83E9F3B6003448F9A32,SHA256=B64781796BAE9708509FD5860D565C9DF9DF396CCC3F07CD547F1FC53CECF80D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.595{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:34.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD948F51F83D5F8F3B98CEB5B31D726,SHA256=062CBE32E67DBE836B56AA951719DB3DD40100838121E28FA52E6358BA7E7BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:34.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F1EE8D145616E67C2B369CB72EA580,SHA256=C1921104E1F9E387CD932CBF8E279B83A42D9745D7F2D9F04123592B6FC5FC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.290{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BD909E30CA54BE37D72D02F161E15,SHA256=99C92FF0DD87496C90FFC10ECF40182F18D0EE60B14EAB25233A348C0E0F1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:35.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5864B7DC429C11F57AC67683C435514E,SHA256=3954AE3B7E18A282785773975804FDAB9FCAEA2173341ACB8515C7A824EE0D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:36.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD2CDFAD58937D7F5365149E2225DD6,SHA256=2B1A63937AC66CE943F7B498662CF1372B41D3BAB661C139C04500BA00B71705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.921{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D368699380D6A5A367E83301959175FF,SHA256=6C33FD55FD1C96B37AB93A71E6B23353DADD2D501232FBEF76A3B2C2FFEB423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:37.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FAC9BE3611911AC75933D6B4DFC2B50,SHA256=FE6BBAE7E8C358733D2428F3273F51E569AED3BBD520AE946CA331AD02233A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.921{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000158869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.670{189417FC-2A29-618E-8501-000000000602}46441160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.421{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FDE827320010FEB1BE2E983D68695C,SHA256=E6A8FE1A3C61EDACA0E5D4866BACFCF13109567A699D40DABE3EB4A5448F7705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:38.740{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB08175BBC4CD69FC891CB3104A4CF4,SHA256=F16F300A4E620E11C9FBAE35B79C8CC74128A455F1EFD37D896016C0F7DE8AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.248{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9976734FA46DE5225B6CF358CACA4C7D,SHA256=A61F4617A008F52DFF04868D7E723DCD325481F8978607C1333B01C11DAF173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BAB86E9BF7A3279C365F34B321A3AD,SHA256=490A26700725292D4E837B1D41C5B6AE6E05F50D31C201602D3EA803A1106B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:39.756{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1D91A7D61D05E2D385C0F18928EFED,SHA256=1FE92621C2DD17ED6EA76DBD2F75F13538B1CBE2F6ABB2A4D2C74F15F3428A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000158883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000158882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000158881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:39.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C92B81D446132F0EBCE3EE5094E6DF6,SHA256=394B0B9D133190E79EFEF5308943F1464BBECA59739007EC39CA853D2AE17FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.674{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.834{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE6072B00C434C7B34F2F870881B6E9,SHA256=DCA2D76E810E9963574EF08DC15ED3BA1864733E69781AB758AD83DB42E53B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.529{189417FC-2A2C-618E-8701-000000000602}26243348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.327{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F70EDC7DDF55E144B47544F4B2E658,SHA256=07C3243A3A74AC1E218E86A3DC2B5DA461A6CA422C95900C9A3966F5D122E790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:41.944{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF1DB58F4FB5B59672184D83A77DAED,SHA256=BCFDB60771A8BEF27D1C7C68A2E83AD898337C07A4C1A21337E0F6C8970C8A9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.670{189417FC-2A2D-618E-8901-000000000602}39281124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.515{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.342{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BD280425EFEEB3188C8C3CBBDA457D,SHA256=A8E716EFE6D4C7B1B2A0C3E597ABFBD5DBEA5FDDDC8EF80437BC9A2165569374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.217{189417FC-2A2C-618E-8801-000000000602}50244552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.999{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.733{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8F1B3BE3C2D4A62D299C5C5E81880B,SHA256=7EBE60C7FFFB1366E62BB56EDA48334847A13EBD75BAF5817C90BFE9C3ED66C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9C4B4E67A46487CE3A200268AD1F86,SHA256=D9E08341F4CA67F94DAFC1C43A9C94ABC4C298344938F82577945EE88226111B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:47:43.592{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf54d882b) 10341000x8000000000000000158925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.546{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.514{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EE1960E740D38C3EB32CC73B52244B,SHA256=18C55106C8F734D6D1DE3D682F2C1C9FB29E951C6F4BCBC6C71B3CC2B9ACCEF8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:43.319{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf523d583) 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:43.069{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7E16710E0FE008E076ED947FC7EC5,SHA256=F23C51240EC1BBB8E8F032583CF34DDC326C302C4F9C1F7A954F7557D1EC92FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.717{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6777284CF8FDAE9D635F7F55A7380F59,SHA256=51563E58FB6C3A8D2A9499C42B4E4B57CF619F8BC31E4F3FA7C05A4F5A05D8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:44.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CEB70549344E1AEDA9F818FBBD0097,SHA256=6CACA5866C2E00C5592A473EA7CA3F96809A1A0562CB113599747B642BC65884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6E4A0BA3F35BD170DBD5BDF6990899,SHA256=D34FF4564A1654C4EFCF5984BC22D2799267CFC2C25118B3FA1F987F3135D9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:45.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF6DE04CF01E597DA6001DD42D59470,SHA256=419669FC453DAB29FBAA51FD6EB66C35BA0020292B2982C7E3D544F5935B2973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:45.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563FD05EA51D9B8300853A2CBFEC3A8A,SHA256=FB61A56D1947D441CCC69FDE4C26BC9D4C564B2CE817C24FB5D1D80728C7192E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BD612768B5C0AD46D83B3C63C5F2DC,SHA256=4509786F4B77C0F508F36D49B499139C20E25AFE2621BC4E7AF29C9BCA2304B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.087{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:47.002{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B571B1339DD823955EFE76899BCBA2E5,SHA256=D4DC5419EAE339853CFEBAD32AD23DECB9A4CBA326BF3C807B27D2EC5E19B46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:47.428{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6F1C2AFF92457BA8B016233ED8437A,SHA256=4F2DAD100A82B9EB1C1F407C2348F36A635AFBF85977889EF4DDDB70BDFFF65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:48.444{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFABBE3E8B1D0C6AF50C6567D6DF3E3,SHA256=B7846A3013DF753BB5786315B1CA936DAD8B0FEC999CA98B1A10BF7A1CC11C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.596{189417FC-233D-618E-0B00-000000000602}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000158932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.237{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3CC45025A36D78B549EE8999F9AE77,SHA256=27B56A1739659EDA5A231D9E90134E1BE15980A32785E7B96C2870F10CA8E685,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:49.459{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9491CABA4EFB322B6B8A633FE3FE4565,SHA256=AFBE098A7F3868AB6AF142CFF9FE4B302BA722F782ED54340AC3B8076E350E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:49.284{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F370901C5C83CEA86F473BCD13984,SHA256=553F56915A4731553EAC87580D4C4762EB9D5CAECF49A29E8D071FD274BC5733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-028MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.695{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38BD480DA526C7E466E6D948033DE8,SHA256=52B20C3EF4A041B3AD2346A741A0FDBEB9F0CB1F7D4314EC8BB619B690218EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.150{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:50.315{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842A457089CBCF665F835D4F6285ACE2,SHA256=28E1A1F2E3371AFD0D05A978B4B96EDE856F181C6477529F903AF1941BD1855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.744{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273A0693D40629EC692DE728E6CA8A6,SHA256=8DF4BC7B658AC402662F81AB74E6D7D7EC64A93993BB0421DED1E58AFA184F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:51.409{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A4C975D9BC68CACA4F1A4BFED063FA,SHA256=1F7A80FF3547EBD105A10DA0A1D5D3C7F9BE7D6EB7FE877B97A7D75839FCE962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.760{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B140A75FEB9E5125E8FDD56EE92DD2F6,SHA256=22F3F1F5FEE60501E15FC99735EA2797810C4343775DFCF49A73B6E5B3992B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:52.424{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F93E71D1AC1DE80DB4AD6BB205FEC8C,SHA256=4124076FA560A470497F8702BF9C9FC744588EC80615C94AB234F129E108DD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:53.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B20DA38C47A8A1B8EADA18F3E685A,SHA256=3522B4087BC0F13D65C0904BC87B261E179DE37F18C3F0DC93144EADD51F59FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.440{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A99AB868AFF5E2F592153DD13DFF0B,SHA256=B30933430F2792FA43847D1E21D87F7714650DAB4ABB611FF41B968437E01F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:54.807{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F4DA1CBF0DC768A92A9C89D7789A9E,SHA256=94301B2B038AD58870FE0113CBF00D71F58F04E0F772612703C4F7966D87728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:54.456{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE6CF23CBCCD0591D1DA1B629FFF3DC,SHA256=982CE9C8D873EEB4072DAEEE82F603F6B9AB71909E93BF0D40A2AF951DE659EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:55.885{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45B264404D3D8814267C67D506C8FA6,SHA256=0F7EF4A15F8A386E2AD47A0CD2ECEA5F24C724FD9FD7E1CC8EFD61E720BC88FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:55.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1947B55D9CFF4D2417AB3E3CD2F58524,SHA256=1FF1DD1822A2549E631DE4F1B175C0FD2ED75C38755ABDF7ACB8691EC0E4F5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.615{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:56.901{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06D66A8C86AC5AF9787E22BECD4330B,SHA256=5BB21418E637882B9DF882F7F92C1EAE2376FA784C5180C66863BE0451088E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:56.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B90DCA7A39D6C1D7DCC4C56E283DC,SHA256=45524F1EB5B7EEEB0530E5461B02326FD6BC4E80B7751AE20226577BE757D1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.244{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.916{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCA40EA73E9816A899D2C38CF13EAD2,SHA256=6C83315357DC0FF719457C717468D1F11BE452BDA19AEA8F775A651EA6AB89B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:57.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022B3ACDA6B886A291CF236F6C0B725F,SHA256=365A0246F613D5E1ACF730452EC63E2C022BFE24403EB472F010B6C97D8F911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:58.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C30DBFA1185714180F9D7E12FBB8DB,SHA256=B273E77176FDBEABA31B1995EF33621E2288495ABBF5D518BD232B9C19DE13E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:58.503{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CABD5B8972A2D127B87CA7A7B050E0,SHA256=5863504DD481F34F07DEA8D07853ABEA7D256AFC6039C4D3C816708D66CAEC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:59.947{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FB5FEC5203A1A8FAEB8C587D1CE1B,SHA256=98FFAD7A9C02910B62BFDC94FED6E9B54415D1BF58DB39B929DB42524F8A786E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E26782D59DF55FB775C8B9F7768FF5,SHA256=CCAA52072DCA39E83BF52E9DB350FFA08BCB2BAD0080D02BE42356E62C6239DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:59.322{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xfeadd471) 23542300x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:00.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A80781EA5045650D77890B8CD49119,SHA256=FD0770ADF545CE9416BDDD31887008596A0BA911B7CE1259E73E7FFD57AB6AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:00.753{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0FC74CE043456BA0F9B90CAA9E31CA,SHA256=60598E8E1854ADA491F54963A847B7371249E28BEAC3395CA10BF1B0DD42E3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.771{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563D156A60407C28C84E10D7E64C68D4,SHA256=745EB84A8F822B2B7BE55171896A4C37C8E29526BBF0392FB5AEA365F7E8A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:01.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51911F1F0B18EDFEB3BD97590484ABEC,SHA256=A620C67AECF1533F2689D6B5AE71A37C78EB66813400108499766CC02DFB23BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.209{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:02.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D94158371D150FA742F3F559DFB9B,SHA256=DD9E55B0B6F0DC7C2907EDD642DD36F1B6A0D49C893A2CBE163A328391DE3255,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3528A095A552431D92B8B6FDD05F5F58,SHA256=B44B1320A117A138F350A7280A0398F8426521B0E8F0A98E09031A20D887E5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.978{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE1BE3EF939A9E0AD7B2774C46505D,SHA256=5803137ABA0779BB3A559800F8F5C3A95265AFAAF3BC6A25654A3274537DFE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.003{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E17BF7C0C3B847DA942706DF9AC07C,SHA256=9C415693171E40C58D57266B594453E4A1BF987D06382FE23D6471B34A37E185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F70D0EF5381C9B4EF4C75BDE5E3A4DA,SHA256=6731CB2FD401C6FDCD2D85CB7E4A6D9CB044F0A459ABD67AA3D8E1CECA1D4FF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\FlagsDWORD (0x00000002) 13241300x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\TtlDWORD (0x000004b0) 13241300x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentPriUpdateToIpBinary Data 13241300x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentUpdateToIpBinary Data 13241300x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\DnsServersBinary Data 13241300x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\HostAddrsBinary Data 13241300x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\PrimaryDomainNameattackrange.local 13241300x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\AdapterDomainName(Empty) 13241300x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\Hostnamewin-host-29 13241300x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseTerminatesTimeDWORD (0x618e3854) 13241300x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T2DWORD (0x618e3692) 13241300x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T1DWORD (0x618e314c) 13241300x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseObtainedTimeDWORD (0x618e2a44) 13241300x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpServer10.0.1.1 13241300x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpIPAddress10.0.1.15 13241300x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF79DA87E0A75F7405193EB382742EAD,SHA256=7BACF823785D6E2B5CCC33E5854B20AEFAF405B0757C4E4DA4A9F036FE4E4D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.619{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F4EFCD11DE585C27A7FCD90EE950D89,SHA256=5E9D1848F2CDDE9D1E28A63E4CA5E057A166D7970E86F72A90DCADA6ADEB74BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C586E5746062B8C3B57949ECF41C50,SHA256=AEC99EAB98CB8A89DBB82D88F5E53970D50C1479F2164DAFF1EF572CCA84885A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.503{189417FC-233D-618E-0B00-000000000602}640692C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000158965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.796{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2964796- 354300x8000000000000000158964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.794{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2958308- 23542300x8000000000000000158963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.065{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F08511017057A78F4CFB8A379E89718,SHA256=6A77BA9AFD5E95F5DCF713A783D821DA98A23E95D69A56F39D9957AFC0F9EC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9870:38cb:8c6:ffff-58485-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:424:c2dc:82cf:1fc7win-host-29.attackrange.local58485-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.302{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.740{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:06.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A4147EC74484C0C7066674C678C31C,SHA256=85F5C1C986BBD4E9F0EED4F3DD19F457A7B876B7354298920A9969D50FB018EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.275{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.096{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26916DF6359C8A7702F5B9483078C239,SHA256=C8EF544DD081E28864D536ED52036A3DD5686E73D462057050CC9A1DC24AAD74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 13241300x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 23542300x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:07.025{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF1A4DFA4D98BDA21451241572B3923,SHA256=333C90E0530E4AA61B7D4670C9E5A424E6B66FAF9EFD902159BE4D73BF9A3605,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000158988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000158987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000158986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseTerminatesTimeDWORD (0x618e3858) 13241300x8000000000000000158985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T2DWORD (0x618e3696) 13241300x8000000000000000158984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T1DWORD (0x618e3150) 13241300x8000000000000000158983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseObtainedTimeDWORD (0x618e2a48) 13241300x8000000000000000158982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseDWORD (0x00000e10) 13241300x8000000000000000158981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpServer10.0.1.1 13241300x8000000000000000158980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000158979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpIPAddress10.0.1.14 13241300x8000000000000000158978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.690{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54162E7168BB40034D3255BC719A12F9,SHA256=010F3776F1B20C3D4768BD5612EB0DC804F2D0D22984617ACC93908FBC922497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000158974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.715{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2953853- 354300x8000000000000000158973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000158972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 23542300x8000000000000000158971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.112{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE6D5AA358F450ADC31786200BBA883,SHA256=E718A9208F5E37F515ED65AE89C274C1C60F13DDC0D82FE7206364019C601D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:08.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077FE2786FD6EAD5369FACA54AAE6CD0,SHA256=A905BCEBA137EDB244581C3B789F2493633C8E4CB163D120BFB264DB92387740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.568{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-028MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.223{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9116A6722039160BC7645D89C332527D,SHA256=F2479C581423A236F19D26ED7FA16E05EB6813DBCB369C6EAB2966EE72E81CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.042{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6225E4B8866D962DEBDF808D523B902E,SHA256=908C6BF6D3D50C768C1BE66B241FC9E81A7D26052039398B4726D9A2340E7401,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000159010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000159009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000159008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000159007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\FlagsDWORD (0x00000002) 13241300x8000000000000000159006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\TtlDWORD (0x000004b0) 13241300x8000000000000000159005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentPriUpdateToIpBinary Data 13241300x8000000000000000159004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentUpdateToIpBinary Data 13241300x8000000000000000159003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\DnsServersBinary Data 13241300x8000000000000000159002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\HostAddrsBinary Data 13241300x8000000000000000159001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\PrimaryDomainNameattackrange.local 13241300x8000000000000000159000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\AdapterDomainName(Empty) 13241300x8000000000000000158999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\Hostnamewin-dc-362 10341000x8000000000000000158998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.798{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000158997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.798{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000158996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.583{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f860:2c00:ce0:ffff-63249-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000158994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local63249-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000158993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.790{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000158992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.238{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F542B2796CEE6B61C990A33D9E9841F,SHA256=DAFD26F68BEEC9D56900A759F3503DE82AE889C1FE2B265187268E73AB6D2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:10.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268BCD75D6318133ED599EC07340A088,SHA256=15712EF16645A09611DD316D1117201286A7D2046DC47FB38F7C13DFF91C2D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:11.089{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9514B36CF69C9AD4F330CF1D765783,SHA256=4AAD26C601BCAF5CEA5E400B6E55707AA74AEB4B6FEFC213B2FE4B38380A5068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.802{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.239{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCECCFD5EBEE36CF733744DF8D99061,SHA256=9FB3C88E0F58B79F9A12F9BD280D1620E0304ED3D54176FE15DD6300C98BCA27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.054{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53701- 354300x8000000000000000159021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63808- 354300x8000000000000000159020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.827{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local54473- 354300x8000000000000000159017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local63249-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54215- 23542300x8000000000000000159013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:12.270{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8C8A6478B0BA9859FE820DCC7CC7D,SHA256=44D0389DCA2C40323240F757985AFDF7FDF2F5FC1FC2E05EC19C87B3D2A12DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:12.135{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82EBC2EA2E8CECA0D747FEBB1413D43,SHA256=9492B692D8C2CDA0369D8D786BDFE417E8EE39BE3319E4F04D2F63DAB26B38DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.788{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:13.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A0CBB60334F0A2D19A4BDE75028EEE,SHA256=6E539658623E20D9E4DE8E8020C64AB4E91730674B30D8AA5C345C213456F16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:13.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5451587FFBC172CC29FAF7DEE6BBA3B0,SHA256=3EACC1D9FF513C81EAA3A926C92AF2AB67FEAEA87A17C5AE89B162761B7F138B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:14.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FAC8C8865BE5D00D8700047A9182A,SHA256=138A5C2CC5857535A08FF80DC18DD36330882B48E12133880779E139D33B6267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:14.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EEFCF2A31FE042247A068BD99DC58F,SHA256=A4FF225B2A1D86167FD1F4D0ECF13C98D707E3C9084F0DFEC9B47FB8FBBB2EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C72ADE2D9208D776112BD781EAF31,SHA256=66D9668976694B813EC3480E9223DF3094D3AE0C45B64FF6108F8A75860CBFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4803945048F2DBCB02E55ADBA2CA063,SHA256=D8CA0163AA68685D02F2714CE144091E255103C5707F607191E8D183BEAD60A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:16.520{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98D9C4CEC45622D704AD98E3398EE6F,SHA256=9D0BBA926D1347EEC12AAB50BC1A7CB243DC2A6946F893A84430FB07C7D1ABAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08871F13ECC986A558ECBE9DCB11198,SHA256=9E9E28C46BAE206223CE68BB60C48B3C5AE7EFE1ED7367F91B24E9D4C5436A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.245{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.792{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.526{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069E335D0842054E6C1C8855B5689341,SHA256=0F79121078DD77F1B66B8D473E648E8B08361FD2CF075817CC0E0909404AA286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.199{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:17.536{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D50AB038CD756E3541979516DF18A9,SHA256=DC7B91E3B33F2865BBA668B4E8B711166A0EEBDE3BAFFF4A450A022507D9BA02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.552{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478307B02677CABA748C74BC398C8C5A,SHA256=9555045DAA0595EF9B526DBE7C25A8D5005CA00CDB6D296F6A982E8D831C2731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A173511C0419C053E968FFDB44D0E38,SHA256=9DC1A37EF0A6F4CEC22F3C2C78FE49F112B0EEC6231C7D1A1A962EFF4F578B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.667{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.541{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B7D4776608EFC1E911479944DA50B,SHA256=6EB75A9F79BA992DD4154C6242DD4BF7983DB88EC427AFE1253AF462BE6B64D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.772{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC8BF733F83F39504EFC676EAD21D46,SHA256=BD12E8D72B8DC804DA69AF02CFE227FBD4A3D7EFC6FC75B6704E963A9DCC1B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:19.770{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02DE47378DC2683C026E4A3BA8593E8,SHA256=2FE687D8E9D6DA4ABFF6D4D204579E5F523274F497E7F779ADB110B4401E902B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10401D6A02275DD38EE6412C607ED136,SHA256=DCF9505B0BE3BA031F8300A0566EDA7920A9FED17E137B6781BFA80AEA5B777E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.385{147D18E0-2A53-618E-6301-000000000702}26281196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.183{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.619{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C58EDF9B4C28570AEEF2F2C199C0E8,SHA256=67DAEEC8174D35C2007F90AA20F85881FCCA4F5749D5664C544FD0224E9ECE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.241{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.229{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.870{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3216ABE2ACA4127E3D09FE7C54D3D68,SHA256=08FBB8C615CC24769B6EB8C0AFD6EB6FBB7F76235ECDF54883A1441984A8791C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.839{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.427{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.005{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C020A63836E73068221A4E2D5A23BE,SHA256=FF0B6E3EB049D01BD198DC46BCAB02AB5ACBF9B293BDAA4CE659BC68376685CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.291{147D18E0-2A55-618E-6401-000000000702}35323512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.120{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.510{147D18E0-2A56-618E-6601-000000000702}26201004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.339{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.182{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC38FBAECA105DE446E98349EEBD17C,SHA256=F6CF9025AC6EA2E91C6B7B8A6BFEE6DD2B6001EE7343B29603709673ECE61241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.088{147D18E0-2A55-618E-6501-000000000702}16002864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.036{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B682A19183BF22C722BDF6359B7E4DC3,SHA256=ED695431F8BDC97EFC3AB589A10C49B1BE58DE1EEC39DAF8D95AB94551497189,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE3ED1B131A6108FAD6B8B9A02BDE9A,SHA256=D67A61C5E259F539CFFB6BD64F045A436B65414EE0C6A011954706F13A086219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D73C38EF49F3C6F05AD953B621F463,SHA256=8F11EA0ADB028086C7CC486ED10E532476807FEE580C55CD37A8567B8EE21843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.167{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.380{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F99F443456ED879602A665D790A0387,SHA256=49F16547AD1D44EA2CCB693A6CC7C74D27E8378B1ADF4EA954836B1DED861527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ECC33A7030CD3068859D7E84DE49E1,SHA256=602D9CB750D478BC116613AEDA232F34DF0F061341AF4697140D16348F40C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:24.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3716832B0F643F3EA497B8E0FC89AAC4,SHA256=F8B24E0B32C1AE3454DDDB9822D8C59F5592F94A3D301A66B550974E3F88FD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.292{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BAA488EE5CA0BABB8F6F0A0B2C542A,SHA256=D4337B5FFBE5B0880FBD3384509901817F9548EBEABB8D4985765A1F707B3F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.386{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:25.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7F30F4237D014939CCAABED446A857,SHA256=5BA6AA0145BB50B7F47D266EB46F4BDEEA36722D269FC99355046414CD691283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55545054141098C7A4F5AE6D0703E6E7,SHA256=64D69C2C7C0ED5D28F7D9D568C5D7D93ADBBB7F8EA7506AE6C0F50624A01E469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:26.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577D67C38AA2EAFBFA7746848C2592B8,SHA256=FCBFC84D1CAC6BB6AF406AFDE24E618EEFA3FB72D7F00F776A26CFB5B2247D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:26.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9DEC7F502B6F43103880E5BE3B847,SHA256=596ABBA2F95DE1FAF78F7BEEF0D6659EFD4D39D8AA2B761B50C8F60515D661D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:27.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEA8566EAF1D418DBFF93B083E681CB,SHA256=BD7B1E20BFE09592D8AF5A1C717B4585EEB587B9B16F9551A47F7433A894AB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:27.115{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FAF3C585C391A4DD234A0EF182505E,SHA256=DF6588ECB7E216A72499DE8A02FA60C99CE1E2D74DFBDCF5266463DD3CD1C532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:28.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7241AC2B6847728787F11374C69A0D,SHA256=78176BDE1D6869F650A4B49B37EAFA574C0681C2D9322144E6A047B7DB077923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:28.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403ACAC1AA632FB64522DB893292C075,SHA256=4EDA706F2F1CB9E4999E5322B7EC9629356206EA83C75484A879AC8CAC115F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:29.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABB512B7A2153FCD63A056D04B9BA95,SHA256=5A064E24BF1E77FC5CE22058D716326370692A370A92ABD8FD32D9D9AB1C36E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159054Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:29.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94466F32A93725AEE73A22E647D91BC9,SHA256=9FC7E0196CD156CFAFA24BD561407BD8EB6349A565A0AB0BBF771595772E76B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118627Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:26.772{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118629Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:30.884{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C89FEA1140A6C582F30C67691D646,SHA256=228B7EEB3D434650A6C126E165E1307843A2C8F009949C5405F574810539B57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159056Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:30.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE51AD0058EC10D1AA51B4972CA34D55,SHA256=43DBCD65CE234D5AA26E374C9C36A9D4F6955E0E900011C3091647F9A68EA874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159055Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:27.075{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118630Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:31.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E58BD3EB2D8096B055C87BE6E46E8B,SHA256=FDF07181D714E43EE3547500174922414A193FE52B8D1264C89F4AE38BF073EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159057Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:31.240{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4754139344570B0202C435DFFA3CEED5,SHA256=F5976CAF80BAD6ECF3CFE777F7B3C1665CA6FC2E667532072DDFC53F5A8A0EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118631Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:32.994{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934F430B834CBA4D6E65637B898791FC,SHA256=1BABE11177B7438FDD7E54FD06B7223A8A7F9471E4A70CE9E056A82774A9C14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159058Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:32.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA1B8D142CD01C900F2ADD9194FC26D,SHA256=B42F1E83B0D34751C7142EEAFE71EE4173502D632140E499F52F23E6CDCA6F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159059Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:33.553{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394BAF23101B9679298701D59D567DBD,SHA256=82D8C13ADC53DF1EB86C1F0C2EA5DAF52CF4EC978B4BC845FB1490046A57485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159060Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:34.615{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A734DC84565A37B0AE10D388BCF59608,SHA256=72DB0266AE4A1CEE07D8DE8328C40D1D6458D8F033530450F01D902F6273C5EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118633Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:32.553{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118632Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:34.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0863E18CF549F8380FEE4DF82C2AB58A,SHA256=AE32FC22DE657B8E0767C2D6B364AA2CA1CC8641497E8AD3A3767B4EB798F00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159062Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:35.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E55EE9AE025C0D50BCAAB2E099B8FE,SHA256=A4CC607D39C715D773A8CE81E3DC54470CFFECD25658FDB9A18ED30E3BC633CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118634Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:35.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91BB8F5DE840218575D79A061675F92,SHA256=4C30BA5696F31BEA15535C1059C3125C5E0D2C6BB19F632D8D7BDD0257C2E066,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159061Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:32.231{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159071Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159070Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159069Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159068Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159067Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159066Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159065Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159064Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.929{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159063Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.647{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414E1C4C9F4D30A8670331D0350E020F,SHA256=9BEC9BE116E41DB2F60B556372C794916DAD91DCE96B4042D9D06DD1D53C3152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118635Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:36.072{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1636AF111077BC4567F9F760E8B5FF,SHA256=9C64103DEFEEFF290C8D2D141DC3278B341FA2D621142FCA34705B184FCAAC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159091Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D915E5E67CB5AE94AD810C6601F057,SHA256=FD7A51726CB003EF582C8C861B992CE9CF57D882BFA4D6A5214E7140E10F79CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159090Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B182AAB2C773E87059BA88D3E3F2110E,SHA256=8AE2424E7D4EE757901AE835ACF3781D1E765F79FF23E04BCE6B704C73F77C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159089Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159088Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159087Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159086Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159085Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159084Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159083Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159082Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.929{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159081Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1EEA1503DC03D680BB0DF39D957366,SHA256=5E9C265261F4C9860F76C9F4CF7019B32B6F25AEFAEA74BC3B96F511932CAA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118636Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:37.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB7EB72739AEF7F346C5DE298FD7B1B,SHA256=07C16DB5C0D5DA9291A45416020D4C62F1853E50086C1427330005EBB211FA70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159080Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.647{189417FC-2A65-618E-8E01-000000000602}50042308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159079Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159078Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159077Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159076Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159075Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159074Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159073Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159072Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.429{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159092Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.912{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942FB924BF2A0D789F586CA30279DE3D,SHA256=991024E76E96AAA17F9D73BF93C2310A457CAF8718C2F9A2B5DC793054BC0914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118637Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:38.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D73F7E8D5669FA729802CFB42E68E62,SHA256=F148ED4D7BFD07F0E3424D43FFD3C61AA8E0CB924851C887BCCE5D5AB7CC2AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159098Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:39.914{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E32627D4050678BD3AAC33F8F327EE,SHA256=DE9A0ABF60F457F556E68167A3BDDC25A40BF664067C47E16D749F2E1C38DE97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118639Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:37.788{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118638Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:39.103{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFD6BA2DC5D2CA945659818A99CBA15,SHA256=0A6DFE215E484D686A3502141CA2800FC76ED3D6FA2FD6A1E6EA8109F577DD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159097Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.825{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58681-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159096Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.825{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58681-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 13241300x8000000000000000159095Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.522{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000159094Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.506{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Config SourceDWORD (0x00000001) 13241300x8000000000000000159093Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.506{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5BC8AA72-1F28-4E14-BC80-83159E61745C.XML 23542300x8000000000000000159114Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.928{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D38C495B4104FE99A558A4D7D6B3C5,SHA256=FC8A3D7AFD1556D3ED83A5C4268F973502FF3894F84B6C4BA9E97ED93A6ABDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118640Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:40.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CD70651F99C2600F441E62ECB6BC06,SHA256=7F4269FDD1D63835AFBF263BD289962B17DD280F4F46CC146D06E8EBA366B0FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159113Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.546{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58684-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159112Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.546{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58684-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 10341000x8000000000000000159111Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.537{189417FC-2A68-618E-9001-000000000602}18322452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159110Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.522{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D915E5E67CB5AE94AD810C6601F057,SHA256=FD7A51726CB003EF582C8C861B992CE9CF57D882BFA4D6A5214E7140E10F79CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159109Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.530{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58683-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159108Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.530{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58683-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159107Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159106Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159105Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159104Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159103Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159102Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159101Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159100Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159099Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159135Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.944{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E175F71FD349B555DA579F791E8373,SHA256=07DA6650E27963C9988B7E82405791AA53156EFD6F7E56775737BF8549350909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118641Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:41.197{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D44BC9A6F7EECFB232DF65031D245D,SHA256=8A0044F72CE023FF7F179C8A0EC6A39B45929987CA5C0D57135D292C16DDA486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159134Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.865{189417FC-2A69-618E-9201-000000000602}384356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159133Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159132Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159131Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159130Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159129Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159128Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159127Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159126Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159125Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.553{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58685-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159124Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.553{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58685-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 10341000x8000000000000000159123Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.194{189417FC-2A69-618E-9101-000000000602}45803600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159122Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159121Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159120Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159119Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159118Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159117Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159116Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159115Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159137Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:42.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EE800B0AA8A0074545F6695D65563,SHA256=77963F1BE5859B3A9C88D4BAA618084B8ACFCE305BBBB713673B89F3C701683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118642Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:42.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57946283C8BD9615F24A7FE6508662F,SHA256=D6C8A29B5B6923F421458C2D1E2F626CD6670C4490AB9C677931F2FCF9717E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159136Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:42.240{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971ADB6B4D277D76895F0A61523FDA79,SHA256=808777D57C6979AE5513331F3B2AB95FFF099972D0970FCAA34D2127D8AA86AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159146Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62DAE85091571048DFA9CA2FA95D773,SHA256=DCA27BBF9034AC3438BC88F944A11516D9EBA67037DCD7436B404372F38CA869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118643Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:43.259{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1043D65B2CF916A2DAC9138638EEA3,SHA256=AC2907F7EF919472FC6F9F34AABB7122249FD631A2793C91589D159297C791E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159145Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159144Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159143Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159142Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159141Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159140Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159139Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159138Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.460{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159148Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.975{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3D25DA9EED3DD8967F73AF3BD7B04D,SHA256=E590C6CE7B1E30B094C9C024708B0CDE1083ADB5A62A61B18C283C0229CA0442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118644Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:44.275{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD9C08DD8B33E03AFBF4631796AB4A7,SHA256=AA9B77065981E6B98DADE881FC014BE634220C9F33D191A91F45295A85C5B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159147Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3524F26D5BA3BBA4DC3560B371532DCA,SHA256=6F9227C88CB4D5925B22CCF781A54E3B22D9CD64F0E35228C7C03171F58F68F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159150Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:45.975{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956F936A99E717A335E4E908F773333A,SHA256=923D869364B2F7B5BC1A025DDF847D240134AE7E0E95D48AE683D1E2C6B8ACBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118645Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:45.321{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB06138BC39CC59F0789C16F03A9E9AC,SHA256=381DCD8FC7CBAEE6FAD0F7E1BBD1AC82E08AF8683E4A5283B77530121F3B579F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000159149Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:45.303{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a2-0x1a15e814) 23542300x8000000000000000118647Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:46.321{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2913A07FFC80A86D32145CC5E1848224,SHA256=D62200AE54202810BEBC7F1B0D8504FF4A5CB7E0492FC41D14F0D462789D8F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159151Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.059{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118646Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:43.553{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118648Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:47.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB879CCE0D421025F8E4419911418EA5,SHA256=C1AE2F077F21DB409EB6874EDBFCF13AD028807A151F69311F672B6048B7D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159152Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.022{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFAFD3E789BDE85C56ED0AA18147E92,SHA256=9C455CC4E77EBEEA33CE57E01B52326874F00D34413BDCD5BE25E5C5D434C71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118649Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:48.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E8E405AE2171043980E4D35B4AF0F0,SHA256=B6CEACFEFC7F00592579DAF48DAC6A9254443A4B4DE1628C1A1F74ABA65A7E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159153Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AD4C72829681814864BBCBBA37F1AE,SHA256=81BAD6E1D91C0C54F738DD8B678717168722EF56170C112D1FA5A4B9263023BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118650Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:49.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF706357C368EB931FE6AE396D6955E7,SHA256=33C6BB03339A48CC7A975B1E80AFE57AC98C9B00DA19370683EAFAD9336BA9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159154Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.131{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93AA64C93E40F54EE6980C889FC83E1,SHA256=B20C0328AEAA0A66109684BD9342BE7EF2CDB9C8E36F4379B81471A7169657FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118651Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:50.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5265D739EB7D672153A9963F8F5A1077,SHA256=B2B338BD24B1A535D453F3C21041E0268552595B1E799542FE504AA7951BC296,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159158Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.577{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58687-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000159157Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.577{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58687-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 23542300x8000000000000000159156Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEC2FB27B24971E7A66973DDA10E53C,SHA256=D30AB071ADA532F8AE8711BD8F088EB6208EBEB675780891064ADEBFE0587071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159155Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.084{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000118653Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:51.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC51A8B1692C67AE38B6C095951814D,SHA256=F8351B795D226E2864EC684C5B4ED6B808222E05CB7C65E72088022E2BF2B3B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159170Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159169Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.012{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58691-false10.0.1.14win-dc-362.attackrange.local389ldap 354300x8000000000000000159168Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.012{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58691-false10.0.1.14win-dc-362.attackrange.local389ldap 23542300x8000000000000000159167Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:51.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6C11F533A9E44D94DBDDA7CE04442D,SHA256=9DD1CE1BDB43D2938F31BA839122D7D465818B2A77CC360D9C21F38B2312D01D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159166Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58690-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159165Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58690-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159164Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58689-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000159163Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58689-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000159162Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.999{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58688-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159161Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.999{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58688-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000118652Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:48.773{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159160Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBDC0AE90920BDE1EAF15623160A8A4,SHA256=3D60D0F06BF12911136C4BA1E42445F8DB242220AE94D00B07091793FF9BE60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159159Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F29D19306BC71DD6CCB5490804EF2E40,SHA256=1926B0912D3E3FB376C0963A74C57940B6ED4E9E24752B4E0A884C304CF3C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118655Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:52.434{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-029MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118654Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:52.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E41DCAB6FDE76A949B5A6527A541A40,SHA256=447B2CCDF7C3E6A40862E1FCA36677E965D14547461428F7C3460A0B2BE8169F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159171Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:52.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B87053F4CD508F2D893960100C1EBE6,SHA256=9ED1BDEF79D54FEB9305CCBC5CF4C677237C5584A18459A1F316D8F9D0733D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159172Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:53.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B5CB302C26F6D3B1DA23428D979013,SHA256=67BBA6D50649C545B41FE3E6033B7DBBB03C11032478C9A513964CA85E0FBC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118657Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:53.432{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118656Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:53.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D34BBD3622C45CC0A41953889033759,SHA256=4FF811B7E29AC4E65D1501478E898456CA537FC56EF992C5350FE6DA2EEF1B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118658Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:54.416{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BED73651DDBA2DDF0C0C390B475671,SHA256=26AE6D6FE6DA82042ED69FF957113B4753E6624184593CB99A70BA4F431A2CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159173Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:54.397{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270C98129FF7DECD781EF200BDA45796,SHA256=85C6F2458ACB3E2C172CB3EBB01005929F4BB91EAEF9FF68F47692F730CFFE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118659Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:55.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FD35C5F3B4BDD5CFAF5D4B88EE863F,SHA256=302C7A7E726A47333296D6B69B6A18497AB188C15F9E4A31463F6617447BA3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159174Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:55.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF16714386D6C8271C2F2A3023199E9,SHA256=EE49D15AD00529EEE3C3F46C671B08D4D2A59F3E308ECC9E37025A677F4439DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118660Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:56.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75932514671AA396C2FD4C6670BB38DF,SHA256=1DA80FC41670EE57E52212C3D5907ED38A2E79725C913101B94C9F29B266643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159175Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:56.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C1FC57AC0BBB993576CBD1A7FF8FE0,SHA256=2B7D9C5867F0E2F21AF32BAF8E20D358D01933DBEBB4EEDA81FC628D23C2261D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159176Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:57.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A1420721F33ACE4D478C5D73DD33E,SHA256=7453AF3F754636FB7B0D862DD53B3BB55FA6B1E76E15C4E096632169B9DDA948,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118662Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:54.727{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118661Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:57.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74BEBE063E89415408BFBF2621C1164,SHA256=01EC2D79154DF6274FDF8F07C2FA704804F7730D84AEAAA7002B88106C93E442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159178Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:58.662{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF39D91849C5B675B7C7E267782EB4B3,SHA256=5E1FBA593FF8B70DA717908771F74A983E988A82AD6B6182D8C42637DE3968A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118663Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:58.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC876FE765BCD8E8127A9E09CCB345B9,SHA256=04BC889BA68D8616D83282A5992A5F3618A49FF727F4CEB2D8548E23A3A8058D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159177Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:55.122{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159179Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:59.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C6129EE2A87139EFC4E488D83CD533,SHA256=378E5D7819F4FDE9567F8B2B9D0EA8FAF083D8A43CD8F37180424C5D2F064E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118664Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:59.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14515998BDDDD086210CB4E3B64927D,SHA256=49CA2E8E36D32BFE4260143ECA1C5B809AC48E773DC7B73AE3C479170B038D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159180Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:00.772{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C497FF01572DB9C737CDD38BFE73FB03,SHA256=B0665AE2DD103F7D014FC32810D918D678915BC5062EE823AE8113C2BD639E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118665Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:00.463{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A055CAC49CFF89BB8464C2574584B174,SHA256=388A85741C35B7C6E0620461BCDCD317E81763B8D8175BC68FFAED5D07B01C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118666Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:01.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96308ABE12191D379855F72464690677,SHA256=747AE23E2A904DE7B61021B228E2D17FE7A954178EEAF5EE9FB938A9350F4586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159181Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:01.787{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0632DDDA5E7651665FA8C348827D6CD6,SHA256=67102E968E0E977C32754F7BBFC0A5C7EA8ED40C69CD5A036F7CF91D12BB5F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159183Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:02.834{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4741293999035291FC8C24832268A675,SHA256=2A1546459AB1C8047D5953D96C9EE111A11A64D6FCD9C4CCFB44C8CBE25E468C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118667Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:02.557{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602A057B25BD580E6264A45BB1E53041,SHA256=311B1B9D1B000426F42047C7F52CE7B9F1E6E5F30164ABE20AD2D76A506178F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159182Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:00.200{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159184Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:03.865{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD70F6D6438D1F07E75A27D145F0E0D,SHA256=AD167A3D79D0244D7F4E77D243C055546DF2CC4944D461551FB5BACDAAA09620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118669Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:03.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C005081CAFD6E7EA23B58720F9BF1F,SHA256=B2016C95F8AD94974F0DEAA3CFA29CDC01A1EB045B40C3E2AEB718702E4DDB99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118668Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:00.711{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118670Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:04.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710A02FAACA03470BA7CE32CE58AD33F,SHA256=2CC6B806241E8DD7800129897D665260945270D9999C2674A35C730542669D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118672Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:05.635{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424BE944872E0905ADD09A66092A7EA8,SHA256=BE578A7CFC4D87F24D9D3F133E2C39140E56C5D0815576C5C1E12296CF187C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159187Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7259ECFC944B994ADE484AB09FDE40D8,SHA256=EB09559DF8B10D18518ED0D67FEF9B4BC496112996127DAC5BE71DDB39B56B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159186Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBDC0AE90920BDE1EAF15623160A8A4,SHA256=3D60D0F06BF12911136C4BA1E42445F8DB242220AE94D00B07091793FF9BE60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159185Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.022{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D15063D7205BA3945BC93B0188B81CC,SHA256=7BCB7A2EFEE755542DB627060F34F16CC573F7AC87C37A52732DC16B404DD2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118671Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:05.619{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F698D2229E2378E36EB5169BAC546F74,SHA256=B6A46D5512F3134E585932F0493A9D408F9FDAE4E1F2913DD1F45B89DC7331F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118673Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:06.635{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D12D9EA83F9C8956B688F19E0AC0C6,SHA256=CDE58A9FFD2F2539EA4DF9DD69E6F3D6A1055E91774A0AD6BC9B012E214004AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159188Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:06.053{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FF3F7F492D196C6EB17E589D33D471,SHA256=A089AF4B57C8C31FB1998EFCCA09B4F9A6962D75A9DC3ABA919928AC6441A4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118674Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:07.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3156F2D1C90E79616916F84E9AD169C2,SHA256=F658F806429FAB049E697D1D13CCA9EC4667D026D1F898EFC68D316509F00FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159189Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:07.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7525F878D07AD94A29DED16F0A4A66B0,SHA256=5CF7B7484F0AE165D6131901B2783E05471E554D3735A8CC545097E836AE2E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118675Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:08.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213CACDEE0C697EA5EC76BCA180C0675,SHA256=BBEEB0C7D49BCF9D6C395AA4E4A94C0C977B66699F72CA77566A805774BC7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159192Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:06.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159191Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:08.693{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12C2E887E612BBB82004988343C4BA5A,SHA256=A3EB2FC18E22503494F88F0CEFAF8AC7E48A07F40CE499E3B710C6B4B4C84B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159190Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:08.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB2540FAE155295778FC184FECB79EE,SHA256=FFE2A18725B2F64FEB4A6105885C66A65C79BDC5A3F9AACA92384FBEFFBB2D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118677Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:09.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F797E38E5E3BCD4ACFDC3E177291A,SHA256=A2C419CB6EDB742F41E08244F17776824C301772A3EFC54F78CC6EA1C84EBEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159193Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:09.397{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD41645AAB2C04219FF51781F574562,SHA256=1E8D769F903F90400ADE94DAA8A575927D169CB9D79211EF27EDDF85F8E3B7DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118676Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:06.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159194Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:10.506{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A8C47AEA7D551DB4567726E165B46,SHA256=3B08CBA147E0BD1FBDC299EE05EE619027FB338CBFD4C08503AEEEBF8C101F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118678Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:10.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E6E538AD9D7418AF1739B4D951543F,SHA256=46637F8728347A9788653D3295187B1E9E7A64E1CA5E6BAD7D639092630C7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159196Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.551{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C85429BD363426537FAF96185B78F24,SHA256=F291430E60CF8D18C9153470E82777F58B6B74ADBF268624CECF41D9802EABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118679Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:11.744{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77AEEC12A3BFCAB1D3BBC05D9371115,SHA256=90C9A3E99F6261A0868CE79D93930A689C09B2EDAA890FBB6E9892FEBBDB8902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159195Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.103{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-029MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159198Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:12.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED5A5EE9FBF793BCEF88C96279DE5AA,SHA256=545197E327F5F3DF45DC3853E408D5A6443692C4155FC5000DDE6869A7319C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118680Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:12.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5BC951E304D49D9365E9A7B4DE372,SHA256=CE235D47ABE3AEE504859CDFC97D2B025BE43E4AAF5D9AF3AE46E9E86AFBD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159197Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:12.114{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159199Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:13.709{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43157D810347A99885B0CFC3935EE690,SHA256=EF88BED385E56021F5EB29EAB05C5BCA40313813C7F3221C88277792C6BC6BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118681Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:13.806{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D82B29F2F650B40FDC0F91F6227D374,SHA256=CF04407BFA10F0EF3E68DDA4AA11EEDF0FCF993A4EDAABAF2254BCC41DD3A7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159200Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:14.865{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073B722793DF5F872D590D354DFE53EB,SHA256=66C971D79F5AA663C96761D5C94AA046CE0053E7B9CB8AF2ED3B63A904AFC52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118682Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:14.947{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0295B5CCB074F91645D12007E3B6A,SHA256=830588968352C004961CA471FA08EA2DDFF83FB16DB5EF13FAA37EB7F648ECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159202Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:15.912{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149A139564FFA93C47889E1690E47658,SHA256=F823AA9AC4BFE68CCB87BF53530A0FC391DD94B55368C70727DAA87C64BB313A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159201Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.258{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118683Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:12.727{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159203Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:16.928{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47A946DB475000630CE100DE1B143C6,SHA256=4554DEA47F8AB926A61A4502AB9A26AB67D3F4A0A998BBEA8809849C17DFF34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118685Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:16.259{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118684Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:16.072{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543520702CC2060D68F0677FF29D383,SHA256=407C7E74B4BECD68AAA4A340931D06CC068106A50E99918B7CCA63D7604B1598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159204Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:17.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46995FE6B29945CDC4A28FD99CBC12DC,SHA256=227420A9D84A7B9C983C54FAE5376E94444E7BC59B5D07FCBD4DA3AFE92B8AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118700Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118699Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118698Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118697Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118696Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118695Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118694Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118693Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118692Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118691Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118690Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118689Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118688Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118687Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:15.789{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118686Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.134{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94153EC1CBECF902500AAB16496D6C85,SHA256=8C5D5C92374772F09F2A438EE68FBC43D013CA01DE1267992A665E98E9486164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159205Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:18.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9E07FB7E67C08D8372257F8F06BFEA,SHA256=4F73F2B4F648B46351A89DB7771E26243A504FD121DA030242B5807E9507A027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118717Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.884{147D18E0-2A8E-618E-6901-000000000702}32323432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118716Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.869{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3BA05C3C4B05C41E80EFD7B91B478F,SHA256=933559BCCC6F7EFD120105E0FD0E03832EEA8F705A10105BBC5037845E7057A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118715Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.869{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768D7E7C12C4EADC8A94463C8B280752,SHA256=BAD9CB4CE48DB441F385F875FA81A1136AA2C9285B9CDEA52D1A4AE8DDBB0761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118714Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118713Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118712Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118711Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118710Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118709Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118708Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118707Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118706Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118705Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118704Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118703Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118702Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.636{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118701Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A0E4382451B2BBAEA7D6A8391B1629,SHA256=96FD075A9F158ACE1F1D7B7CDE5FD130DC84086C512509D7559A8FE755526BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159206Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:19.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF55881C90789DC174DF7F76A8E5636A,SHA256=6B2DF2F34E2D4C67F41D92073B8618C7ED08C9E51FB339639BC8BC2D81C5E4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118731Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.213{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98427A10EFC6B684F29E64C1E6816299,SHA256=A9C7AA2745F5161AA51166BBE98A8A3126D157F40015A3377FE203F23B86E9A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118730Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118729Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118728Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118727Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118726Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118725Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118724Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118723Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118722Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118721Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118720Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118719Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118718Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.135{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118734Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118733Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:20.212{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB682817B4951EA191444224276ACB8,SHA256=D1801F8F031312A4E6CC6762325E2EC1D76C9A3E962DB094B9D52BA4C1EB4004,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159207Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:17.168{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118732Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:20.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3BA05C3C4B05C41E80EFD7B91B478F,SHA256=933559BCCC6F7EFD120105E0FD0E03832EEA8F705A10105BBC5037845E7057A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118762Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118761Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118760Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118759Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118758Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118757Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118756Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118755Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118754Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118753Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118752Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118751Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118750Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.838{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118749Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.322{147D18E0-2A91-618E-6B01-000000000702}24801248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118748Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2697DBA1497B0CA731C864BB5CA03F43,SHA256=9A8E95129F8C481BB612FD5F272AFE8CD1F867B92D49B74A5E906DE781B0F8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159208Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:21.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DBF9DC1DCFF3E61CA79F3AF31C8029,SHA256=3FE6D9C00695B024F314AFB6B8D795A94048519778C6182FB9BB44CED841D6E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118747Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118746Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118745Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118744Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118743Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118742Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118741Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118740Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118739Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118738Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118737Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118736Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118735Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.135{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118779Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.556{147D18E0-2A92-618E-6D01-000000000702}26603052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118778Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C103B2BEB6DF99D7B31FB965B3D8B,SHA256=28E88A46C4217CD29BB1A1543EC7B686990AFF4D60C80B618DF0FE588F1A97F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118777Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118776Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118775Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118774Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118773Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118772Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118771Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118770Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118769Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118768Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118767Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118766Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118765Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.354{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159209Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:22.068{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE05EAD3895887382FB9234C6531106,SHA256=2B85DDEAA4588E4C00CA9ED5501485A6365C18121D1C93DCA263CFB1C606755D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118764Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.212{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F6A1004DA65DBD025E0D394B7608FE8,SHA256=A4958036B30269BE713961B2633C7D944AA3AF42C2B4CBE1ADB120ECD17A1623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118763Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.087{147D18E0-2A91-618E-6C01-000000000702}31123108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118781Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:23.509{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE43DCA2660DD93F0D8DF77922297B9,SHA256=8544231B447D991AF4387049BF06AD8462A87DC129CA537B82768DAC4B191F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159211Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.396{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159210Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2E1CF5DF4653FE627FADED8B647491,SHA256=2D8B58E4323B2CEAD95656588DA98FA9BBEBAA6C213870B5943C264878105202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118780Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:23.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF9D897E530B99EF52ADC1A68D8C33F5,SHA256=B9E2A4BB0D220C4A717A49FFDA2D35A5E05872B73A68A9F91E1ACE993476DCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159212Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:24.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213021B7B9C056B513E7547D5B93F441,SHA256=7F2365DFA50187AD46F566A365492193AB33A2C0306E638CAC30599B34692B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118795Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.525{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DDC0D52D74D1EF0D4F6FA0C210EBD4,SHA256=4528E21EEE88BD0E76756C7F7FAB0AEB70B0AB1AEF744157DEDF7FE6FC6F0D89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118794Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118793Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118792Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118791Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118790Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118789Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118788Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118787Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118786Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118785Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118784Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118783Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118782Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.307{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159214Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:22.403{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159213Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:25.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2D3D927F6F41C69427B16CAD1801DE,SHA256=4ACE6C1A83104BEC80991F9BA3A471233DBE1B1F871194FCF04745820448F2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118797Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:25.556{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE105CEB8F5C9CBE7BA64B84450EF509,SHA256=8828185DD3CE7629F4053020F80F889AEA16D3C4BEFF53DA396C091F3D97F598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118796Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:25.525{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDB1E23F31EC0CD3F0BB40A45F9B959,SHA256=9C17C5AF91A51E5FE2BDCD2862A2018A54F60C04A14C49874ABD48DD6D035522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118799Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118798Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:26.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55763AFAC9B86C01C98303006B37179,SHA256=DDCDF13CCACA702193F2A82D0F19E0A03DAF557EC109162F0AB2FDE539493FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159216Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.074{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159215Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:26.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B333B28C9D03F87F1782B5231EFBFB3,SHA256=9D18B898FD804C04F2592384033AA367AEA069D749057F4BEDB6C5AB4B3D882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118800Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:27.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B87CB8C3D6596556A31962ACFC25BC9,SHA256=9FC52FD0C2616BC0EEDDBA5C959C01E849AC2E8DC9595F5A0BFC40F1EE586DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159217Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:27.396{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF9ABA25E7F65383C5970B765E35203,SHA256=527A553D3107A04446A3B460EFF210770B81429DD7F1D588EB19EE5B81E8101B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118801Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:28.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDFE9070299683DD3F991FA6C721C8B,SHA256=A1CC7E6493CAF260CDA03E2CAADC5ED496F7967B8BFDDBCC58CFCC591BBEE2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159218Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:28.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BACC04FB32A9DD398EBC57A547DA7E9,SHA256=C4A269A59208BF8672A9BC0AA4165850C4D19FC173B0AC86105AE11A2AE91F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159219Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:29.428{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951517BE82571875652D6C95E10AA054,SHA256=08695AA2D252AA196ECB62A73DB9E4D160957B51A13611FC87E36600F7F4B55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118802Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:29.681{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15B4E2A5EC7E727D75640604274908,SHA256=677E70DAB625527E342E1AD1D0EEA55D5B158EB36288AA0CBE38BC8C019FAD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159220Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:30.443{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FEAD7E24B27AF5C8887FE059FA95F2,SHA256=2AEF18458C62FE74E0EE1130E7AF57106E3C43F411E53FB3566A016721E2A78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118803Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:30.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4840A9F42024F07C638A3AD1ADE61D,SHA256=F217D1AEC019C752E9B68E5D6C493E9AC921F78C77780292AEC2B99B96591A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159222Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:31.647{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C30A15B6178C9532C9F86776CACBB6,SHA256=1BF2DA649FFF7ED30C776B146237A9FCCC5CB31F149B5F0DB5FD5A5D227FA179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118804Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:31.712{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB976304C984297D4C0CBACB4DDAD7,SHA256=A1D1AD3E8C9CC942EA431C5395E833E5ED962BEA3F3C2919A5C3C46656F476CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159221Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:28.215{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159223Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:32.756{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B18A77626353B51611CC7CB0C73602,SHA256=D454A404D386C0198F46D1C29379D7454F0C8A6DA65941FD1DCD67EA9CA26126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118805Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:32.728{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26FB93F4769D74F691CDE14D462BB,SHA256=6155C9FB48EBCD58CB6814B925836052D65A60D6110300B8B4E9651B517A5F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159224Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:33.771{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333BB8629C8D7CF7A4C6A84FE4AE4CD9,SHA256=7F76F4ACDE8F3F8A5D97E1EAB776F2FF779EA74CADBEC0B2B7FC39A090D17959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118807Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:33.728{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CE9817078FC0D6230FFC0BD46DA44D,SHA256=F481A637442A44B6F3A25DB44D6A2E9DF1AC12AFC8D424507A0B8AC01212A9B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118806Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:30.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159225Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:34.787{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E376B37E1A8FE9DCB0E5BACB403A90CB,SHA256=AFC35288EDCBAFB30AE5F0846D2D5FB183EFB170BAF757E15C706E9CF04BD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118808Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:34.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F915F54DFE6634C09A58CFB98FFA0842,SHA256=48C38C3AB30866CF8BC73FB9DD4E41C198F0D7F2420573725EB678AD31457283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118809Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:35.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E4E5D0EC2C3209D7DDF4BA50C534D2,SHA256=1F62D58F517B55E751CAE4A14529B20CC2441960C9C29217DB2C54F1525D5036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118810Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:36.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0DD824094C240FCEF283233B8E256,SHA256=A77CE200511EA44B31ED2AA8FFD6DBDA05664E2F5F7C5946D803C9922BCA533F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159235Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159234Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159233Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159232Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159231Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159230Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159229Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159228Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.929{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159227Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:34.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159226Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.006{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D5C0D1D7CBB97AE569B3F16F24B9F3,SHA256=C4B64ECA62B2E967A3B16135DE29E59BCF6F49559F83C3312715FC484E1BF34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118811Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:37.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DB01F60F6A9A4CDC9C9CD6A7BAB16B,SHA256=123C5277112884108F0F415565460E5310557B82C116A4D3D66ECFA353D5CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159265Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.943{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E63635B11976F90495DA6CBE78F8C623,SHA256=4EE24718800746C86E66E980963A66AC2D4AEB6959CAAF2A23B86E9FFD592D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159264Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.943{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7259ECFC944B994ADE484AB09FDE40D8,SHA256=EB09559DF8B10D18518ED0D67FEF9B4BC496112996127DAC5BE71DDB39B56B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159263Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.912{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159262Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.912{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159261Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.866{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159260Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.866{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159259Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.834{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159258Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.818{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159257Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159256Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159255Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159254Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159253Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159252Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159251Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.804{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{189417FC-233E-618E-0C00-000000000602}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000159250Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159249Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159248Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159247Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159246Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159245Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.631{189417FC-2AA1-618E-9501-000000000602}26404896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159244Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159243Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159242Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159241Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159240Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159239Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159238Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159237Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159236Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73EC6F471356958B6CFB6B935BDA415,SHA256=18E9B0AF7D806E2FF353016699B44022B885916205A4D7ABA2E7D59607FE8CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118813Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:38.853{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C48C9DB62981F0939432DB77F5628F,SHA256=F8B5D1802A67F5AB33AEDB79C804E0A723FD1801B91237E280CFA9416BDADA3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118812Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:36.696{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159299Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.912{189417FC-233F-618E-1400-000000000602}11122716C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000159298Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000159297Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001cf40c) 13241300x8000000000000000159296Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xd7d87fa7) 13241300x8000000000000000159295Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x399ce7a7) 13241300x8000000000000000159294Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x9b614fa7) 23542300x8000000000000000159293Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.318{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD155FA6DC265DBC1232E260A226048,SHA256=72A1BF942442840AA8490E3B463BBBD16C8CAC01305ED5C926D5F16B5B656701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159292Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.271{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159291Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.271{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159290Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.256{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159289Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159288Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159287Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159286Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.162{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159285Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.162{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159284Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.131{189417FC-233F-618E-1600-000000000602}12521496C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159283Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.115{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159282Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.115{189417FC-233F-618E-1600-000000000602}1252NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20210310.180215.536.1.etlMD5=773E294C300AA593C4FDA70F4C5683B7,SHA256=24BC3FA1E6DA1306522A7975649FE84545A5CEC4B1AFEB1CBD0500587AC9A54C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159281Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159280Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159279Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159278Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159277Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159276Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159275Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159274Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159273Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159272Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159271Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159270Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159269Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.100{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000159268Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.084{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159267Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.084{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159266Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.006{189417FC-233F-618E-1600-000000000602}1252NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118814Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:39.884{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4230A69E62FA8EFEEBE4DA27936DB9E8,SHA256=1552E18E2244CB07538EF28A2EB317F4F0433B9BD0C60668B20F0262B10D4E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159308Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.443{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58703-false40.125.122.176-443https 354300x8000000000000000159307Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.284{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63249- 354300x8000000000000000159306Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.284{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63249-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domain 354300x8000000000000000159305Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.843{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58702-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159304Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.842{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58702-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000159303Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C2616EC873F510D5003F5759B79060,SHA256=4E463FEE1B80D1F0FB181B838B7C107E85D6F48DC5091C7D66F525D4AF6AC810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159302Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E31FB8BE4C2CDF5118630E6B67CDDCB3,SHA256=2AE80A050E690F48EEA9F8C5C6DFD2624E86D578EED7C15BBDEBA4F02D46C46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159301Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=31911BED608547EE7B8DD5BA557FC079,SHA256=BB7C37A4B357803E1FFAEA218488FAF245DCC77EA529C51D58F535A32BE7F96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159300Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.099{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E63635B11976F90495DA6CBE78F8C623,SHA256=4EE24718800746C86E66E980963A66AC2D4AEB6959CAAF2A23B86E9FFD592D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118815Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:40.946{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7DE98C0F3245EB01C2478E77FA5F7E,SHA256=D43F54615C94F1CBEB2CA538CFE2D39E4F2D47442126D922EC5D990E684EBEF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159319Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.724{189417FC-2AA4-618E-9A01-000000000602}46163028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000159318Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.localT1042SetValue2021-11-12 08:49:40.615{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXEHKU\S-1-5-21-2006876236-2289804728-1473726685-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x8000000000000000159317Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.553{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AD30B770F897BBD58933EF93675C71,SHA256=E669AE9D551EC67775A3BE5E9E69F61EC226C789AB56D635165F5B24993A5F5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159316Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159315Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159314Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159313Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159312Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159311Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159310Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159309Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.350{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000159393Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159392Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159391Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159390Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159389Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159388Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159387Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159386Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.742{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159385Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795CDB772BA2BB048BA244FCC9487C6,SHA256=30F3A6285EF837FB1B3857DE53F5FE555E98ADDC7AFFF4361ED2F1EA1D779076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159384Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7414DE5E499526DF5DBBEF9CF2AC6FDD,SHA256=886641D535D4C9985A9FEC8FB6140351D15E75553E89EFE5010515F5263BE6FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159383Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.168{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159382Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.575{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51719- 10341000x8000000000000000159381Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159380Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159379Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159378Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159377Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159376Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159375Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159374Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159373Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159372Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159371Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159370Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159369Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159368Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159367Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159366Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159365Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159364Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159363Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159362Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159361Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159360Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159359Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159358Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159357Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159356Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159355Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159354Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159353Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159352Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159351Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159350Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159349Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159348Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159347Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159346Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159345Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159344Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159343Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159342Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159341Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159340Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159339Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159338Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159337Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159336Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159335Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159334Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159333Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159332Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159331Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159330Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159329Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.412{189417FC-2AA5-618E-9B01-000000000602}4580416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159328Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=481D579569CD96874224826D602B743E,SHA256=B0A09F14176C5993E1A4C41265D68F63B2A9478B9AA61A7C2596C6D272F440BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159327Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159326Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159325Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159324Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159323Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159322Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159321Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159320Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.241{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159396Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E11811D79F68363198C6DDEC588DDB,SHA256=69D2E4066C62D0EF906A169FFBE647E33B7B2CCE82A3C5224FE49AAB5154BD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159395Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086648135112F21F8A4A096EC1C81D0E,SHA256=1FD67BB07BCE7283DE5A3D4BF773495E044216C411E407A40634649086115170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118816Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:42.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4570E8DA321433E1FCACDDCE4B6C33,SHA256=EF44E188CA8BDF2865A92D6A2EDC3FCB43C967A6CBA63CA334860B262E90A170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159394Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.178{189417FC-2AA5-618E-9C01-000000000602}46604948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159405Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B249A2889B01B5C16D337599A3DE13,SHA256=FA9CAA56B27DD74DB8CE6723B0CF0551E7357A1FC3FEB9EDD329ED2E26ED5C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118817Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:43.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADABA7B0528E357DFF615E34CDD839A,SHA256=787C5528DAC0D67232D97A60B07F12BEF1D765716AC7F706426DA5CCEED6A24A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159404Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159403Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159402Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159401Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159400Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159399Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159398Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159397Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159407Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:44.974{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8127A52D9147F345A026BF75F8BD3967,SHA256=E37B794B35D47E0D5ECFB0BEDE6257B0E973E542D10A737779AE61A9934EB32A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118819Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:42.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118818Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:44.134{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D0F5476828794C1BD4E47F3CF600B1,SHA256=961812FDD72402E99AC464ABE79A50028C3F929A99806DA48C54A8A9DA46E3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159406Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:44.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=982455D99A25B65F3E0443D8F18B5753,SHA256=FBD6DC13CEB262B0D153F5B00209AB4F8D45772FDEF55018E907FED5F99107FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118820Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:45.149{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2997AA4771240FE9DE9CF381D823DD7,SHA256=49D7C33E02402F99384924C29DA3044715011694B5BB4B316B1C51AFD1EA5211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118821Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:46.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A306CBAB23A04D20FAEC4CAC4EE932,SHA256=AA7C76552AECBF5CFCED03D7243F8E095C724C237522F16292E2E413F76AE06C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159419Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.974{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159418Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.974{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159417Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.771{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159416Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159415Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159414Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159413Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159412Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159411Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159410Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-2975-618E-6001-000000000602}45084276C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000159409Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.754{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000159408Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.006{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E66D1D89638A98A8D4D2DBA4821D03,SHA256=BB30E2DB586B5F73B890DBD1B423551C30173EDC2FB30BD9E6FA0A42C8A56BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118822Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:47.259{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB8BC97454A68805F73FE9272E56959,SHA256=C676BE333751DA525AF1B592FDB97A955F0FB57171F9CF35A74D4CAD975BC939,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159435Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:45.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159434Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29325ED612FA52A4FE5AC08E354049F8,SHA256=9F1B4F02CA6E625D7318A6E3C81B69EDB2A1D0874AD51BC0BD5D3C153DB882F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159433Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FBC6F582E92DA926D76DECC4C4D57D,SHA256=C372299C22EC288E7945BA77A92C94C780931223B2EDA7296B8A642D208A413B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159432Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.037{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159431Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159430Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159429Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159428Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159427Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159426Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159425Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159424Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159423Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159422Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159421Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159420Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118823Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:48.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B918693A2F6331C45D7C7AB4E8879CBF,SHA256=2D68D6C5ADA4FBD640450C24F2855C9C21BCCCB4531A360D1D4B7FFCD78EC252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159436Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:48.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93125EAEDC672E156D757CEE52B5CE,SHA256=10B0AC856BE41BED9966740487E11D8F3420F94AF38F34244C1DD5AB76974975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118824Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:49.509{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776BCC3C0898890BBCF2C707B13E171,SHA256=0DE983436C5D95AC5DD27566112BD3B112CD1187798F7D0CDC4EF55AECBACC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159437Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:49.099{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB65E990CEB207D3095C76E9FFFD015,SHA256=3350EE47B2CF1D1DD7A0A506FE583FC771081FFC8FCE2739514B9BEA6C07CC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118826Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:50.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12193D3333264A32600D6AA0F00996EF,SHA256=47C76F172A21B25A89C2CEA5C4D4EB4CF453E70DFCE48222A8CD241F130761AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159438Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:50.146{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80608E99DDE1077E5926F76E8FC90A81,SHA256=FAB053FDCCB8A4F59D345BC24AAC8DEE3591C3F46FBB8E7478C721E1F6007634,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118825Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:48.633{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118827Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:51.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55DDA50163CF67BAA8C0D3C5DFC4D9B,SHA256=0C2B3D2D3A1EDB604C1828AC946921CBB1C8F51F0ABC2D2D6354C89615E00CCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159472Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159471Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159470Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159469Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159468Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159467Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159466Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159465Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159464Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159463Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159462Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.209{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159461Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.209{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159460Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159459Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159458Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159457Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.177{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159456Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29F9657A34CE016E399D0B5312317E3,SHA256=DDCCE3D7416C0DD0E081D8C2F6DA23FF892279E5EF3E18947242326198A7D5A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159455Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159454Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159453Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159452Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159451Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159450Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2AAF-618E-A001-000000000602}18001160C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+cde5|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159449Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.140{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862MediumMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159448Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2AAF-618E-A001-000000000602}18001160C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159447Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.099{189417FC-233F-618E-1000-000000000602}4081120C:\Windows\System32\svchost.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159446Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.099{189417FC-233F-618E-1000-000000000602}4081120C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159445Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159444Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159443Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159442Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159441Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159440Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-2975-618E-6001-000000000602}45084152C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\windows.storage.dll+11a32|C:\Windows\System32\windows.storage.dll+11729|C:\Windows\System32\windows.storage.dll+115ff|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000159439Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.078{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118828Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:52.618{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53A0F23B962CEEBEAB5AD147457778E,SHA256=2B5F8BCCFA795617245056D4DD08AADA260A1B2C9FDDF5C9F7FE8D2DC6C8BC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159474Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2E68D6517F56AF224DFF5C38EC7C43,SHA256=A61B4124445BE910DA3EA807BF8B5F7BF3C3E260078E74C5E145DA75F513D7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159473Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2176ABBC6CF09D99FF91CC9927B5A503,SHA256=4349DBBB821267ED53CF0367C038E712FDF70AE5461C80D1FAE28162975891CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118830Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.950{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-030MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118829Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.651{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D738AB3652938A6D32B82BA89C748,SHA256=EA2A60DDE904E7AB4B263DD249A0431F8B269335F805F6D22381D1DECFEB842F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159554Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+25f52|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159553Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159552Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159551Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159550Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159549Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159548Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159547Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159546Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159545Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159544Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159543Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159542Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159541Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159540Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159539Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159538Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159537Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159536Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159535Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159534Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159533Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159532Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adafa3|C:\Program Files\Mozilla Firefox\xul.dll+30b31c|C:\Program Files\Mozilla Firefox\xul.dll+f2e795|C:\Program Files\Mozilla Firefox\xul.dll+b4df24|C:\Program Files\Mozilla Firefox\xul.dll+30abed|C:\Program Files\Mozilla Firefox\xul.dll+391b5b|C:\Program Files\Mozilla Firefox\xul.dll+39135d|C:\Program Files\Mozilla Firefox\xul.dll+b37a1a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50 10341000x8000000000000000159531Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adafa3|C:\Program Files\Mozilla Firefox\xul.dll+af413f|C:\Program Files\Mozilla Firefox\xul.dll+af3dd4|C:\Program Files\Mozilla Firefox\xul.dll+f2e062|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65|C:\Program Files\Mozilla Firefox\xul.dll+e876f4|C:\Program Files\Mozilla Firefox\xul.dll+e87199|C:\Program Files\Mozilla Firefox\xul.dll+e87dcf 10341000x8000000000000000159530Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+ae8612|C:\Program Files\Mozilla Firefox\xul.dll+ae1700|C:\Program Files\Mozilla Firefox\xul.dll+ae2546|C:\Program Files\Mozilla Firefox\xul.dll+affd24|C:\Program Files\Mozilla Firefox\xul.dll+a9a009|C:\Program Files\Mozilla Firefox\xul.dll+ae792e|C:\Program Files\Mozilla Firefox\xul.dll+199fa69|C:\Program Files\Mozilla Firefox\xul.dll+18b0d93|C:\Program Files\Mozilla Firefox\xul.dll+18af0cf|C:\Program Files\Mozilla Firefox\xul.dll+37d84d|C:\Program Files\Mozilla Firefox\xul.dll+f35dd6|C:\Program Files\Mozilla Firefox\xul.dll+f356da|C:\Program Files\Mozilla Firefox\xul.dll+f3586e|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88 10341000x8000000000000000159529Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159528Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159527Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159526Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.2.91307503C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159525Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159524Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.2.91307503C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159523Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.1.189385845C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159522Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159521Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159520Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.881{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159519Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b 10341000x8000000000000000159518Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f 10341000x8000000000000000159517Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd 10341000x8000000000000000159516Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6 10341000x8000000000000000159515Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b|C:\Program Files\Mozilla Firefox\xul.dll+165513f 10341000x8000000000000000159514Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b 10341000x8000000000000000159513Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159512Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159511Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159510Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159509Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159508Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159507Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.834{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159506Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.843{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.1.1893858451\957623576" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 511 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 2124 124f2b2fd38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159505Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.818{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.1.189385845C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159504Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 10341000x8000000000000000159503Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 10341000x8000000000000000159502Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 23542300x8000000000000000159501Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.568{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159500Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.568{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159499Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.474{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\26970MD5=4E49208E89E56A02B78B8457F2740AFC,SHA256=07319E4F2D000B8C2656390E17EF1F5F9628C9A3C50B5A6B7836815547FFE798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159498Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.459{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159497Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159496Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159495Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159494Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.381{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.0.203879400C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159493Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159492Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.381{189417FC-2AB1-618E-A201-000000000602}96\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159491Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159490Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159489Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159488Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159487Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159486Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159485Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159484Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159483Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+16e36c4|C:\Program Files\Mozilla Firefox\xul.dll+939189|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159482Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.335{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.0.2038794004\1457074761" -parentBuildID 20211103134640 -prefsHandle 1320 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 245782 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 1416 124ec860d38 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862MediumMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159481Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.318{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.0.203879400C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159480Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.318{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159479Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.224{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159478Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.224{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159477Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4911F3781A4E817448991A8E2A52113,SHA256=7F2E3D4C75236EF7319F9CE2044F774F2127CDB1364695FD0E4E83C9ECB413B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159476Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.131{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159475Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:50.215{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118832Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:54.964{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118831Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:54.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC026205BE48ED4E3A93F7BE9FB6D447,SHA256=4C0CFB73DAC9A55ECFAFAEE6D899DE09ED7AAE51D7B0E7BF41343EACBA7B48C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.996{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.7.19055648\1823273474" -childID 4 -isForBrowser -prefsHandle 4328 -prefMapHandle 4104 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4348 124f39d9d38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.7.1905564C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.945{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.6.124859652C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+19457f3|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.6.124859652C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.5.25488921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.930{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.930{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.930{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326050B1F6D1F98653E62ACF5F2FED63,SHA256=5BD6D7CD8ECCC423C374D8F2D990DDB7B26D13BA187837A220ABB2C2BE693829,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.611{189417FC-2AAF-618E-A101-000000000602}4352cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.609{189417FC-2AAF-618E-A101-000000000602}4352cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.596{189417FC-2AAF-618E-A101-000000000602}4352prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.582{189417FC-2AAF-618E-A101-000000000602}4352prod.ingestion-edge.prod.dataops.mozgcp.net035.227.207.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.431{189417FC-2AAF-618E-A101-000000000602}4352a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a1;2a02:26f0:1700:f::1737:a1a4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.426{189417FC-2AAF-618E-A101-000000000602}4352a1887.dscq.akamai.net0184.24.77.48;184.24.77.54;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.425{189417FC-2AAF-618E-A101-000000000602}4352r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:184.24.77.54;::ffff:184.24.77.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.205{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net02600:9000:225e:3000:a:da5e:7900:93a1;2600:9000:225e:f600:a:da5e:7900:93a1;2600:9000:225e:e600:a:da5e:7900:93a1;2600:9000:225e:5200:a:da5e:7900:93a1;2600:9000:225e:f200:a:da5e:7900:93a1;2600:9000:225e:200:a:da5e:7900:93a1;2600:9000:225e:8e00:a:da5e:7900:93a1;2600:9000:225e:6400:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.204{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.17;18.66.139.125;18.66.139.97;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.181{189417FC-2AAF-618E-A101-000000000602}4352example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.181{189417FC-2AAF-618E-A101-000000000602}4352example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.173{189417FC-2AAF-618E-A101-000000000602}4352prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.167{189417FC-2AAF-618E-A101-000000000602}4352prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.159{189417FC-2AAF-618E-A101-000000000602}4352detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159744Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159743Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159742Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159741Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159740Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159739Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159738Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159737Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159736Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159735Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159734Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159733Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159732Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159731Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159730Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159729Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159728Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159727Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159726Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159725Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.895{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.5.254889219\1412856095" -childID 3 -isForBrowser -prefsHandle 4052 -prefMapHandle 4104 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4160 124f8accf38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159724Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.5.25488921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159723Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159722Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159721Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9DA25B1BAFBCF28600888EB9ED98BEDF,SHA256=8FCE6C6BEB7692DFA73C7BF8B8EC166B1C87497DD3724C0AC819B9F429EC2396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159720Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9DA25B1BAFBCF28600888EB9ED98BEDF,SHA256=8FCE6C6BEB7692DFA73C7BF8B8EC166B1C87497DD3724C0AC819B9F429EC2396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159719Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=C79B11468454491C63E95578874803B9,SHA256=5409909CA518DBFCD76C96C08AFAFFD6F5AF7AB62B1329EB4A78A1ACA8935104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159718Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=55E8609F7694397EFBC207072F077D12,SHA256=3B4832AD62D0B1DC33297835ED0C03A52981BBB8E3477F3D42CE1288B9D4B321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159717Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=982D51BD048A615D4998C76F37FCC02B,SHA256=6FB1C581AC221FB4262AADAE905CDCDAA09EA70B2306A3B26F23C935F16FBCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159716Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E46DD924F55462D60EDF3E14EF77EA04,SHA256=DA163EA2CE4A8F41309CCE1EFE671E4DD23EBA8D5FF1CE9D21259E30C4136B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159715Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=5E6008E5566DA613B699019FAEBDC82A,SHA256=47BA5D7A431055ADDF940DD310C0AD498D8FA81E15DC931521ECD355E5A92503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159714Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7F8F9A51990B068CDA6670DB6B6619E0,SHA256=50C187719B87DA90C8634CECAABE3CD174193A5605E7F010ABB24A11EECEC54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159713Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E1C6266526E274E68108A15C564D5AD5,SHA256=CEFD6005AD7EAA66A682C711E7E9C81F63C3D5C452D7769BFEA9B9349D1AB62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159712Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=EFE9F1FAA3E35B602F979040B611A669,SHA256=1B2942D7761FCA547A1327778A881958DFE476883694CA7635D20C8A508F03AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159711Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9D92810283136C762559D54CA0F46A65,SHA256=EDECA012D0FA17DC306FF377802F0C6E52906140DA82BB319BFC1A04948D9F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159710Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=982D51BD048A615D4998C76F37FCC02B,SHA256=6FB1C581AC221FB4262AADAE905CDCDAA09EA70B2306A3B26F23C935F16FBCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159709Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=64FAF0D25747A0227006076985EEAAA8,SHA256=73FCC48560D71DF86F2B4F3030F5291F3FF223C0700A377625B70436788528EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159708Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=CC69B09AEFD85FE76F387FF22A35A858,SHA256=08F0EAE6241620FBCBC6B3C1D46EE6C99CD0C3C09692550C537657A838A0F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159707Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7B85ADA1A483F2BC175A04F9E358EE86,SHA256=3B438A8FF277FDE2465D1FC0D980FA1A71E64B0602421F604B42842C7C1615CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159706Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=0AEC8C305AB24C81A859CEB9B3DB2E3C,SHA256=C57244A09C3C767329FFB1BF6B53CD45B5B7663AFCBE267C4D8C95E2824EA8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159705Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=13FFDFC649AC1124FDAC5B76254EE269,SHA256=EBEDFD88628352853F7703E6326CED0B319D4CA64DAE1ED1C388FD64A4C7CE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159704Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=A1F511B00974C953E8DD74025AC40B99,SHA256=9AA8A424134EAFA4940BB9B3FF600F26D26C7DC262FE554CA6A8C65DCF682FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159703Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=07E1019EA296978D6C31C90A90DBB825,SHA256=C4703FBFF5FC562A42619CA901AECC6E7247D39DEF32A10F3BC258E29C53DDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159702Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=506157684F94D1D751AF28E86919550B,SHA256=D1C9685D21EF79A36DDF667FF0118AECDC2C0502586199D725A91CC125EE333E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159701Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E10F4A7BD8005B28174BD41110B53FE1,SHA256=44E932A2E00BC4857A6F10A1F85F3CE41A719D74F006547246AB2AC871A2FD23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159700Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159699Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159698Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7E8BD09BAA9694499EB7A41794B6076B,SHA256=8D0B022A298FAC5AB20BC508FDB9425D3D5D018063B31EB58AE8468CE9444252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159697Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=C55D41BD354F51BA011C301BD932C6B6,SHA256=5BE22265654CE82F48038E88D412D5213DB2EF31228DBA7F53A623B12420895E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159696Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=FE74F5C38F433736EE7015868CFB159E,SHA256=3F7B3252EF3B6217AD78ADB7007738601CE1EEBCA69F55990B64BF254BD4FC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159695Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159694Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159693Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159692Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159691Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159690Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.630{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159689Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.599{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e88cbb|C:\Program Files\Mozilla Firefox\xul.dll+192a801 10341000x8000000000000000159688Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.599{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 23542300x8000000000000000159687Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.567{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EFDE8B7B4A495E2179D08ADB5F4E9C,SHA256=9FF1ECAE8B01BC5315D1023E48DDD7672A50B237907E5C07AF35BF659A39167B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159686Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159685Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159684Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159683Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159682Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159681Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159680Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159679Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159678Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159677Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14FE3D1833325B16488F35C3A59EF8C,SHA256=DE984C5DC385E3E1C4702115819C1464EEF0CCE3DB497CE2EE530DD30C19E404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159676Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159675Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159674Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159673Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159672Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159671Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159670Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159669Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159668Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159667Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159666Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159665Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159664Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159663Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159662Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159661Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159660Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159659Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159658Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159657Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159656Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159655Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159654Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b41436|C:\Program Files\Mozilla Firefox\xul.dll+39c5a0|C:\Program Files\Mozilla Firefox\xul.dll+39c1b9|C:\Program Files\Mozilla Firefox\xul.dll+39c068|C:\Program Files\Mozilla Firefox\xul.dll+b57680|C:\Program Files\Mozilla Firefox\xul.dll+b56ffd|C:\Program Files\Mozilla Firefox\xul.dll+b500b4|C:\Program Files\Mozilla Firefox\xul.dll+b554b8|C:\Program Files\Mozilla Firefox\xul.dll+b55c4b|C:\Program Files\Mozilla Firefox\xul.dll+38eb41|C:\Program Files\Mozilla Firefox\xul.dll+b56a29|C:\Program Files\Mozilla Firefox\xul.dll+b599e2|C:\Program Files\Mozilla Firefox\xul.dll+b56446|C:\Program Files\Mozilla Firefox\xul.dll+38e307|C:\Program Files\Mozilla Firefox\xul.dll+b358ef|C:\Program Files\Mozilla Firefox\xul.dll+1e9b50a 10341000x8000000000000000159653Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159652Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159651Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159650Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159649Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159648Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159647Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159646Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159645Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159644Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F41B72B8E3636FFE0720B0A5D519A66,SHA256=7329A8CD5E8C638A567223C5CFDB18FF3C957A1CE138FFDF2DF4BF0BCD617FF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159643Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159642Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159641Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877420433E1A2312FE4AAD097D737B07,SHA256=F4D7A0EA193B7DC27FBDBDCE170F8461C742E96A052175F33512A45E022A7E31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159640Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159639Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159638Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159637Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.415{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159636Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159635Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159634Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159633Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159632Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159631Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159630Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159629Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA6A62E3CAC7806A491967FC21EA97D,SHA256=17F39635426F9C5F310DA7ABF4D838AC4521D5C54FCD34B6608502CC9C7CC485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159628Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e88cbb|C:\Program Files\Mozilla Firefox\xul.dll+192a801 10341000x8000000000000000159627Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159626Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159625Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.4.138860035C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159624Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159623Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.4.138860035C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159622Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.3.56488732C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159621Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159620Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159619Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.346{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159618Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5 10341000x8000000000000000159617Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159616Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159615Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159614Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159613Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159612Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159611Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159610Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159609Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159608Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159607Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159606Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159605Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159604Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159603Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3 10341000x8000000000000000159602Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+db10bf|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159601Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+db10bf|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159600Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5|UNKNOWN(000001A4E9C63EBF) 10341000x8000000000000000159599Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5 10341000x8000000000000000159598Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159597Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159596Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159595Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159594Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159593Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159592Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.315{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159591Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.3.564887321\206879888" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3472 -prefsLen 6051 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 3484 124f5c36338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159590Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.315{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159589Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.315{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.3.56488732C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159588Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.299{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f59b5c|C:\Program Files\Mozilla Firefox\xul.dll+f4b08d|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0 10341000x8000000000000000159587Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.299{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 23542300x8000000000000000159586Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159585Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159584Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159583Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159582Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159581Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159580Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159579Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159578Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159577Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159576Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159575Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159574Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159573Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159572Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.168{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159571Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159570Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159569Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159568Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000159567Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159566Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159565Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159564Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159563Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159562Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159561Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159560Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.084{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159559Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.084{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159558Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+16b8275|UNKNOWN(000001A4E9C61E84) 10341000x8000000000000000159557Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+16b8275|UNKNOWN(000001A4E9C61E84) 10341000x8000000000000000159556Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+11c1bdf|C:\Program Files\Mozilla Firefox\xul.dll+1aeccb1|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5|UNKNOWN(000001A4E9C63EBF) 10341000x8000000000000000159555Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+11c1bdf|C:\Program Files\Mozilla Firefox\xul.dll+70eb4|C:\Program Files\Mozilla Firefox\xul.dll+88312|C:\Program Files\Mozilla Firefox\xul.dll+88215|C:\Program Files\Mozilla Firefox\xul.dll+a0bb9c|C:\Program Files\Mozilla Firefox\xul.dll+84d5b|C:\Program Files\Mozilla Firefox\xul.dll+b82fbf|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+120bc79|C:\Program Files\Mozilla Firefox\xul.dll+1ae57b0|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+1683511|C:\Program Files\Mozilla Firefox\xul.dll+196f5a8 23542300x8000000000000000118834Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:55.713{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEEB7DC4B9660383A5C5EC7B895B2B3,SHA256=522D219FED2221B4309AD857A6F3CE0CD484245770DFE49F9B72888326AA2075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.973{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=8B0B930BD10040516CECF865CBF807F0,SHA256=1F0B43926BEEC28F5BC2A9B9A3E19F8EE28329768934AC76EFD19B1FF7469A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.973{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65177- 354300x8000000000000000159971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53868- 354300x8000000000000000159970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.981{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49813- 354300x8000000000000000159969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57558- 354300x8000000000000000159968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64854- 354300x8000000000000000159967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51718- 354300x8000000000000000159966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57209- 354300x8000000000000000159965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50971- 354300x8000000000000000159964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52593- 354300x8000000000000000159963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56060- 354300x8000000000000000159962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.971{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57795- 354300x8000000000000000159961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.970{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50999- 354300x8000000000000000159960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.970{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63251- 354300x8000000000000000159959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.969{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53726- 354300x8000000000000000159958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.968{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50374- 354300x8000000000000000159957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54602- 354300x8000000000000000159956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.958{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52652- 354300x8000000000000000159955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.958{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51110- 354300x8000000000000000159954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.842{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58724-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 23542300x8000000000000000159953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.957{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=664710C1B91D04A31D4AD6123807D44F,SHA256=6220FFF1EC2676AA2ADBF503DEC5EFF7FE3660EBBE296629AB9E31233706C05F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.998{189417FC-2AAF-618E-A101-000000000602}4352star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.995{189417FC-2AAF-618E-A101-000000000602}4352e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.994{189417FC-2AAF-618E-A101-000000000602}4352e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.992{189417FC-2AAF-618E-A101-000000000602}4352www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.991{189417FC-2AAF-618E-A101-000000000602}4352dualstack.reddit.map.fastly.net02a04:4e42:62::396;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}4352dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352dualstack.reddit.map.fastly.net0199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352www.reddit.com0type: 5 dualstack.reddit.map.fastly.net;::ffff:199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.988{189417FC-2AAF-618E-A101-000000000602}4352www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.988{189417FC-2AAF-618E-A101-000000000602}4352www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352youtube-ui.l.google.com02a00:1450:4001:810::200e;2a00:1450:4001:811::200e;2a00:1450:4001:812::200e;2a00:1450:4001:80f::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com0192.155.88.129;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.957{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com0::ffff:192.155.88.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-2AAF-618E-A101-000000000602}4352github.com0140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-2AAF-618E-A101-000000000602}4352youtube-ui.l.google.com0142.250.184.238;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.186.142;172.217.18.110;142.250.186.174;142.250.184.206;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.238;142.250.181.238;172.217.16.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.977{189417FC-2AAF-618E-A101-000000000602}4352www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:172.217.16.142;::ffff:142.250.184.238;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.186.142;::ffff:172.217.18.110;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.238;::ffff:142.250.181.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.976{189417FC-2AAF-618E-A101-000000000602}4352github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.926{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=804E1F68C038B57109DFB9ED9BD6735E,SHA256=A63BA4635A311071A50C85343BF670972D7A48203E77353DC7A7B02EAA29B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.926{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3841DEB0562A354D8EA8E0ECE1AC5C40,SHA256=62F6D0C2431DC3EDA3C8017B80AF97CDE32CA9D211D268566B1642786D665C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.887{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.879{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.730{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58717-false52.41.42.148ec2-52-41-42-148.us-west-2.compute.amazonaws.com443https 354300x8000000000000000159922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.703{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58723-false184.24.77.54a184-24-77-54.deploy.static.akamaitechnologies.com80http 354300x8000000000000000159921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.689{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58722-false142.250.185.99fra16s49-in-f3.1e100.net80http 354300x8000000000000000159920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.686{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57346- 354300x8000000000000000159919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.682{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65032- 354300x8000000000000000159918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.671{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58720-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000159917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.671{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58721-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000159916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.669{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50764- 354300x8000000000000000159915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.647{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58719-false142.250.184.234fra24s12-in-f10.1e100.net443https 354300x8000000000000000159914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.645{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50970- 354300x8000000000000000159913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.644{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57871- 354300x8000000000000000159912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.642{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56287- 354300x8000000000000000159911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.600{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58718-false93.184.220.29-80http 354300x8000000000000000159910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.600{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64230- 354300x8000000000000000159909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.574{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58716-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000159908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.574{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57788- 354300x8000000000000000159907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.573{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56315- 354300x8000000000000000159906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.573{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52542- 354300x8000000000000000159905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.567{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53192- 354300x8000000000000000159904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.473{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58715-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000159903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.418{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58714-false184.24.77.54a184-24-77-54.deploy.static.akamaitechnologies.com80http 354300x8000000000000000159902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.417{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63427- 354300x8000000000000000159901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.395{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58713-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000159900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.395{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51674- 354300x8000000000000000159899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.394{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52308- 354300x8000000000000000159898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.392{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64198- 354300x8000000000000000159897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.337{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58712-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000159896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65372- 354300x8000000000000000159895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55445- 23542300x8000000000000000159894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.445{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\016e7da7-8f27-4eae-b863-7ef912951591MD5=8B00C7ECACEAEB3C4182DF202520C714,SHA256=7AEA2E1E36D25DF9241B36D071C883F2DA652F0EF540B077D58209D9C761C0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.329{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B459106E89304C4C428AC4C16EF5FC,SHA256=1A1273ABF4CF31DF98B914EC1F1C9D6E92CDF1982FC8176BDC0A83C3E935722E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118833Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.743{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.229{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\c3f88ece-09a5-4c9d-bd2f-e5eea6b06a39MD5=91E43F6DD9B60C3B1FB2EDE7F7AD872A,SHA256=6E307B583F7C0BFEEB3667421EC90C4FD11D1704766AA55F8A10F3C70E18C6D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.195{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49641- 354300x8000000000000000159890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.173{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58710-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000159889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.171{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57028- 354300x8000000000000000159888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.165{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58709-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000159887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.158{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51278- 354300x8000000000000000159886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.148{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53925- 354300x8000000000000000159885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.187{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-58708-false127.0.0.1-58707- 354300x8000000000000000159884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.187{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-58708-false127.0.0.1-58707- 23542300x8000000000000000159883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.182{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.167{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.165{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.164{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.145{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.145{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-4C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8E01A82B5A097EF17158DD903207AD,SHA256=906D2A0CA6AF8667B783D1739029B44303E69C2FEA2B3AA1ED2971788E3EBC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.10.145043385C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.10.145043385C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.9.98139869C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.088{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.9.981398691\356027077" -childID 5 -isForBrowser -prefsHandle 4476 -prefMapHandle 4372 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4460 124f8ace538 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.067{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.9.98139869C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.067{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.067{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.065{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.065{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-3C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\5a816887-3524-4764-9fca-6ed097e3b991MD5=2742DE5460D85F7B9BB015583B86ADA7,SHA256=872CBC3C28236A2297E5090C2666DA5C1E67CFCC88D9DE0E313DBC2539728147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.8.209130542C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.8.209130542C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.7.1905564C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E131A79E46FAC8FE7E0B4A341DEE89,SHA256=9BF3C0531414AF79BD6E27EE35745A0521D6C8055A8E11D173757EC0BA38CA53,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000159814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+25f52|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED657760AB07604E3E87DC76B65F34CF,SHA256=B4B22628F491AB33C6E6D421BD9287DE315044A577FF776B828D931529921CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118835Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:56.745{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85250A58600BE88BB955E9BB9D1AEF9,SHA256=3A15785E0FCDC9EC3F825FBD89CD2AEFF71B7EB8EED19D6CB452693B2FB07DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.741{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.441{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC12B5FDB8A877A1B63878973B4CDE37,SHA256=B62BEF23891E732B1EFA9E6FDFC63BD6ABDF4F695F57DEBE470A129C73719DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.424{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9742E453FFDF88DD3CD4C879F02C68,SHA256=A42454262F8064F8EC04B470CCE7F897B768E479BA85DA6FDFEFAE8709F243A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.163{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-54552-false127.0.0.1-53domain 354300x8000000000000000160032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.151{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54552- 354300x8000000000000000160031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.151{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:63f8:be0:ffff-54552-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000160030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63252- 354300x8000000000000000160029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64147- 354300x8000000000000000160028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50640- 354300x8000000000000000160027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54552- 354300x8000000000000000160026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56284- 354300x8000000000000000160025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.121{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49982- 354300x8000000000000000160024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.121{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64796- 354300x8000000000000000160023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57589- 23542300x8000000000000000160022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.226{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.226{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.225{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.224{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.222{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.221{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.220{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=9C65A6B3E14202919AE8AF28339870DC,SHA256=AEF70711C6ED424AF4A4B436C287000B86803D4E8D3D7D45D744147A74DE3068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=8B0B930BD10040516CECF865CBF807F0,SHA256=1F0B43926BEEC28F5BC2A9B9A3E19F8EE28329768934AC76EFD19B1FF7469A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.188{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=8D2088E9683D3730233F5776B93105AF,SHA256=6FD54563C82D91D5E22EC27B736AD2611AB715D8780CFB5975F4146952BF1837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=804E1F68C038B57109DFB9ED9BD6735E,SHA256=A63BA4635A311071A50C85343BF670972D7A48203E77353DC7A7B02EAA29B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=28B5CFAC70BE55D3E50FD031ABA59003,SHA256=AC664612DF17CB27C208F3266C90C5598401C467C04D006E0F240547A214A8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=664710C1B91D04A31D4AD6123807D44F,SHA256=6220FFF1EC2676AA2ADBF503DEC5EFF7FE3660EBBE296629AB9E31233706C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DC6938568B6DD7673AD033919FCBFAB6,SHA256=86F423E55F67ED58A2EAD5DDE02F589074F76D57919F075E52EDF364616FF028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=785F7A5B79F8084DE618AF1B4EA2667E,SHA256=4CECE008A7CA2928FBBFC2A78276185A4A578AAD889DBD2A3BF3B7A71D249B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.120{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F1B80154F1F196BC589A2EFC8E03FCAE,SHA256=A8562894EAB9D248FFD608309743CCEF45AF665744FB5EBD753A7B8CE7FDC7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C18D748EA4EC42607B01F62BD69CFCCA,SHA256=C3D2FA87A01F8DBA161F97959CC08E146AED0F15A3CCBD94B7019A4DBF2A14EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=1FC7B2422CDE492733C09B15532720CD,SHA256=B3924A454B89471C1B26B69C90B4E1FC468B75BE378E7A1646CB1DF30AE59BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.057{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F1B80154F1F196BC589A2EFC8E03FCAE,SHA256=A8562894EAB9D248FFD608309743CCEF45AF665744FB5EBD753A7B8CE7FDC7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.042{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118836Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:57.792{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410ABFEB5483DDF8465962D13E3248ED,SHA256=36BB679B7573CF09D996C8F938F1C4CD058E437A7F8B54C0EDE2C06212B90AA4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000160042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net02600:9000:225e:d400:a:da5e:7900:93a1;2600:9000:225e:2200:a:da5e:7900:93a1;2600:9000:225e:1c00:a:da5e:7900:93a1;2600:9000:225e:d200:a:da5e:7900:93a1;2600:9000:225e:ca00:a:da5e:7900:93a1;2600:9000:225e:6200:a:da5e:7900:93a1;2600:9000:225e:2e00:a:da5e:7900:93a1;2600:9000:225e:7600:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000160041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.440{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C93A3B3FE1E34C826BF76AFB5C63FAA,SHA256=63DBF4ED3B5658A35396C728BF2461F79E2B1BA16D314D80BA4D78D9099C6308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.340{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.458{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58726-false18.66.139.67-443https 354300x8000000000000000160038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.457{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53457- 354300x8000000000000000160037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.403{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58725-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 23542300x8000000000000000118837Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:58.948{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9745E68E3934DF0AD528BEC13016C1E,SHA256=4B008D4407982A2F9D803FE7530CB28ABBF890BF51C7988D040BE74B890417FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:58.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F0AE0C9613F5C5C23FE3BA208B6AD7,SHA256=9D289FC4B59D20AAA0028F6CC3F2DDBB52F01425E4A81B34C1B36EF9ABEF29B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.064{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.558{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58728-false93.184.220.29-80http 354300x8000000000000000160045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.403{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58727-false44.240.138.42ec2-44-240-138-42.us-west-2.compute.amazonaws.com443https 354300x8000000000000000160044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.260{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52488- 354300x8000000000000000160043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.258{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55074- 23542300x8000000000000000118838Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:59.948{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFB649C1C1EC2FF03F83DAC6BECD7D3,SHA256=F32ABCD5D5A717940BF7D8AD344BA72BE9CBB88FF6BB13AFB7BB6E1FD05A07E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160054Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.486{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C415517D288D8531F297814B661A086,SHA256=89ADECE04234C4484FB7CAFBEDBB1406A88152D80ED979C38B4D9BF372E6F82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\12371MD5=983FE1B69C4711F6D1378870220DF2C6,SHA256=50F742F5C91BEDD196015433EC9137E06BCE2927F50E25C2FADA781BDF8E3682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\13493MD5=3051D44BFC3EB454D402081D5014077A,SHA256=142512EF04DED4CEEB1B5B7C61D6A9E3A636A5D4F95538993817BD18D817F589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\21495MD5=0ED112F13DC23F316CEBDA4A9B616349,SHA256=D498ADE2729B98D77B494B803D75032B3F3553772E5EEFD7FD46B18A1D361D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.178{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51801- 354300x8000000000000000160049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.143{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51801- 23542300x8000000000000000118839Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:00.979{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5281E7BF066E6EF86115856BB58F32BA,SHA256=1CC2D7B5BAEC7F4C6D95226D6A1A5D39E1A7C05714E28BCD4054B2E9A83497E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160058Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.500{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEC08B97D929AAD7632DB6224FA80E0,SHA256=977A8E37B558B047181BE2FFA72E18FF210805F8D78D9A9D8441AC609D88B631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160057Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.414{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61131-true2001:500:a8:0:0:0:0:e-53domain 354300x8000000000000000160056Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.413{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62607-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 10341000x8000000000000000160055Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.138{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118840Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:01.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323F78969C517C701980CED0A1100E70,SHA256=6AC136A1450E4FB49BF9DF8CDF82C488899F40A32B6030314786F3EA6E3E77E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160059Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:01.517{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C04A553352D23E2882521B30F2F36A,SHA256=D857903807D8FFB07B731F89B9F0949FD2E6BE8F38C841A47F438995655823BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118841Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:02.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1EBEF77CDDA840175A0950175D8135,SHA256=7D71FD9192067DD87EDFD7EF6E56F9420E6AB7C1116842824691AF16564F0342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160061Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.552{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6C994463B311AFAFC3D85AAFD6CAE1,SHA256=760527E36E7B94716F901C7A5BB63E854A2630E814DE86C47BCB1A3343F85BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160060Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.191{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57610- 23542300x8000000000000000118843Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:03.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB3595DDFEBBFD83DBFAE8E1FC80DDC,SHA256=280E3D9DAD3D6280527E48234CF85DD97517CB468632C5E7CA21644CE36F119F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160064Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:03.566{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B692ECE61BA9086E65B7CB2C8B6FA5,SHA256=200EBFA5FD22C06BBB0AB5634D15FE259E125D212A87B63627F6B4D32E7345C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118842Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:59.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160063Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.821{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62607-true2001:500:2d:0:0:0:0:d-53domain 354300x8000000000000000160062Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.238{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63251- 23542300x8000000000000000160066Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:04.584{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1BA6C3680758E7641165BA6F3BADE0,SHA256=ACBE43BA8B00965A19826659EA14023F2F959E10FFE0C82FD87898FD3AD9B9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160065Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:01.190{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160069Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.683{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FF1000C3F9B8281EB9888E07867590,SHA256=CF1E3D0746BFBBC254D7F0033A7EA0AC4E9BF8DC72C83FF12854B5ADBDAA58F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118845Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.620{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3E8E336A650837BF5DB0F7880FDE8BC,SHA256=B57F1EE9EC5D062BAEB5A10676D454BB168159D286FCAB362830C8C718E9678F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118844Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EE124B08CCF478B47981AFF76FA89A,SHA256=46124B8A23357860C5B8E051C8455DEBE55D656349BD83512D7C6FCC3FA3E59D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160068Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.272{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57418- 354300x8000000000000000160067Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.236{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57418- 23542300x8000000000000000160078Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.698{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925E21FC4B62FE3D3861915713B38D24,SHA256=6D4AD5594ED524D5BDE2335429A44E80403E92BC30D86AF7C1A01F4FBA05E873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118846Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:06.013{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636B9D82BA8A134433FD32A2AF2E0ECE,SHA256=65CA43F06AE0BCC1154BC12AD5D16D56FE7AF24DDCFCB2ECA3419069EFB799B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160077Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.520{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=17C2F1D66B218F2F28A2CBC3FD78BB75,SHA256=D720F8C84DB6BF654BCBC327579CCADE4F71D677526082CE8BA950950C77F7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160076Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E31FB8BE4C2CDF5118630E6B67CDDCB3,SHA256=2AE80A050E690F48EEA9F8C5C6DFD2624E86D578EED7C15BBDEBA4F02D46C46A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160075Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.383{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160074Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:03.871{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61750-true2001:500:2:0:0:0:0:c-53domain 23542300x8000000000000000160073Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D30A26A6452BC69F9B6A33D4CAAAE00A,SHA256=5764F121CC18538D88866DFE5E87D8E6E5EE21771D679532AD50E6E69B4DEA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160072Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160071Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160070Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160081Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1985322C6A8752AC3CD16359D6635C83,SHA256=F4A6BFCA12FFA776ABB80A6F986608A8F8278A6C44D1B3F26A2A4A1CC5C44409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118847Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:07.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F99F6D806199BFE416755F1AD7344E,SHA256=94BE67C268827F53C529E263A3C5DB36B7B806FB19D4EC9075D6AA098F479E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160080Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.383{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=E6D683ACFD289CCC2903D5202D6AAB71,SHA256=1A10110FD6C9166B66C104EEE56F52F720F81913E80B112D6AF8F2118487D01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160079Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.383{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=378752A316BAB100E6B158DE30DDFC03,SHA256=EEBA3F407C4611CBC714C04216F5E5E53F235EDDF97F89100F45C22DEADD6AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160091Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.784{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FA3C38CB51853A5A52AED513188C5,SHA256=CF7C2845CD976636F0E81936CF84A7E67B72A4444145BBF479F364FA9F9E0A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118853Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.620{147D18E0-233B-618E-0B00-000000000702}6242412C:\Windows\system32\lsass.exe{147D18E0-2339-618E-0100-000000000702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000118852Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118851Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118850Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118849Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.635{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118848Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0571CE74AE029CEEBAD35B465A4306B2,SHA256=929C8EF976D824F3EED8BDFD52F7E41DBC649D0294CF7F2DA34DA08330C3BC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160090Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.700{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C0C27D21275D906D85A2D26B60189004,SHA256=285F416CDC3926BFEF0447D30E9C00F3FFB710C166A48A39A54D57C8BC73C2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160089Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.621{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000160088Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.568{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160087Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.568{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160086Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.553{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160085Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160084Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160083Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160082Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.305{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57857- 23542300x8000000000000000160105Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.838{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ED5FB9BEC9B231C21A8CF3E252FEB2,SHA256=497E529E279FD6D1C20B06C45D32CA822FC24F547C20022CFDC70798E9514265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118854Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:09.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DB9B911E24C9B5457FE997EE653472,SHA256=F40759C49247AB72047E2E9F89FFE408DA22F376CF9E28C28EC35795B80B34E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160104Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E428D9CA0507CB1D841D2B43819F71C6,SHA256=833B7061ED266BC39FC16BF500B480B3A8B2E88A9D90C369A2D4CF5C5B4C7382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160103Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE4A61409311E0F8E4E81CA0599F490,SHA256=95C0DAAA3BB25E39C6135D3BF7EFEDF2C09398E237F42A50F2DB00B3E880C60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160102Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.236{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160101Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57857- 10341000x8000000000000000160100Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.100{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000160099Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.100{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000160098Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160097Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160096Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160095Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160094Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160093Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160092Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160108Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:10.853{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF22E676121D8CE9FF1FAFF7FF17933,SHA256=0D7ABBDBAD0E02F277D9B8E43E4CFFC9C77DAA99DFD34828C529D90E55AE1014,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118857Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.170{147D18E0-2339-618E-0100-000000000702}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50118-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x8000000000000000118856Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.167{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9870:38cb:8c6:ffff-52071-truea00:10e:498d:4328:41b8:400:0:440f-53domain 23542300x8000000000000000118855Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:10.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42478B831AEF857AE42961CF6A1DA05C,SHA256=1289297DC82C680477640F84695D5C81B35EC3D7B797A26532BE2DB6D4F7CB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160107Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.645{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-2950118-false10.0.1.14win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000160106Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.642{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2952071- 23542300x8000000000000000160110Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:11.868{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FE494FCE62073412AC80397DFAAA75,SHA256=35D27014F71B7593B7D850D4CD8B3E18FB4EE9CE6ED79C013193B04FC03F1B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160109Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:11.417{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118858Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:11.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C67AFA056A1EB226EBF62B97C924DB,SHA256=9A9589CC6F5C365011C90E25516C481BF24ADE54C45B3E1A04744F0B6188373D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160112Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.898{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BEFDE325B06E0F3CCD43BD7C828048,SHA256=DF48A02199C554FAFDEB468B141D1F9538F92A9E061D9EC748818123E5E5A424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118860Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:10.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118859Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:12.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8059739581B8B9A39633263CE48E264,SHA256=DD4A1821C8F96D5997605C4E95A16081EBF698754AFA6167270DC515516D866A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160111Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.638{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-030MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160114Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:13.917{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B0590BE469A054C1643E761E5D9E18,SHA256=E83E5C861276494D87D3917511CBFD46C3C295E728AFD0D7AA32A4999278612F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118861Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:13.135{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEF2891636DB999C41BE2F0431F7F91,SHA256=97CB6B7D278D323E968BF161AECEFB97DCB7B3C39A111ADC5D342FC248534E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160113Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:13.652{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160115Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:14.919{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6A5D055047185EA8E5642EE9917B42,SHA256=7DBAB1602CDA77A282A8C228D9293F667F58C50761585200B8981969BF20A9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118862Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:14.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B740C041028219C0E4CB1A8C36A652DD,SHA256=09E548AB2991BFC1652D1A43C250F723F9F72C7C74F45A8531A0F011363E4497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160117Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:15.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1410D44984000A995B82FED0504A3280,SHA256=EFB4D793A7B67DFDBFA1D27D9AECEBADFFB590732C6E2DE81ED183C97F07E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118863Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:15.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8699708B6FBF8069DAF63567458B6F,SHA256=F866830C3C58654EC383CD5902A8479269053D8728ECCC9AAA46CFD78AC9854D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160116Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.188{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160118Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:16.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95625B3B5E1D039FD069F3F03E73210,SHA256=44F220461490536680527A9E61F6736E43E3D869701F7200F235B9262EEC7603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118865Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.276{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118864Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.244{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3216FAE586A7801BC3F4CA58BFA9B7,SHA256=17C42B398E4784B5D87032348E4166A7F5D4446F0AB6A3F0032B6366242699A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160119Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:17.936{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BA153FDDE55E385B265D01B8A274AD,SHA256=96A99F84931DF097720D80E480EAAAF880DFB8EC95D2A0F7649614C521DEF1FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118880Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:15.807{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000118879Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118878Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118877Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118876Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118875Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118874Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118873Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118872Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118871Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118870Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118869Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118868Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118867Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.792{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118866Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14282B9CE364633F26097B4A225B8F70,SHA256=3D36744E9CDCFC1C66C478B8711D537AA5162A14D5FE7E68F57AA83FDD4AD6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160120Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:18.952{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7EE6A77DCAF0E6502D5EA28FB711A9,SHA256=2D28ECD38F6548474CAFAE1F47D85CA245C41FEC98936491A8E4820AA5330016,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118897Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118896Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC7DAAB84FC80A7DDB416C617D5C43B,SHA256=6776C86884D785D85AA38E0940139706C33A85705FBA3599C42AA4285011B889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118895Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2609125181F541E4393A72304A1C4AF7,SHA256=0AEF3015F70EFCF284562685EFA2C9E82B5B68BFE024000AAFDAA9AAF59AB1CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118894Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118893Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118892Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118891Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118890Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118889Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118888Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118887Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118886Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118885Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118884Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118883Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118882Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.511{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118881Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47CA6C5D60E020CD76ACB1E06C009A0,SHA256=544762FD7D471F4B082BCE9C0E7E3BE2A9D7F8436ED042A7B64E2B67A69A7BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160121Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:19.967{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D3BEC8C5D1F492DD97A06B2C76DBE0,SHA256=1AFAED9569E4EBBE0C790BCC95FCF773090FFB2DDCD49899C73F481CC1F11795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118911Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.213{147D18E0-2ACB-618E-7101-000000000702}33401540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118910Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118909Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118908Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118907Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118906Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118905Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118904Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118903Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118902Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118901Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118900Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118899Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118898Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.011{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160125Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C268E097E91A5D9BB5E72588C44A55A,SHA256=80B130E3735510658D56817250D9DD715F1D5162BB3455F43DF5C611E38F2271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118913Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:20.119{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC7DAAB84FC80A7DDB416C617D5C43B,SHA256=6776C86884D785D85AA38E0940139706C33A85705FBA3599C42AA4285011B889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118912Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:20.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AB64B504A9FE844A02C7725596E887,SHA256=69C2124182CA1E1953E5134120607621F315EEBA9FFBC929B273F2E35E23E3A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160124Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:18.105{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160123Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.519{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9FBD2301F99187C6C71AB6E266DA40,SHA256=32569C0FFCFCE41A52AE1A264FDAFA7199416E1F39D509D3EA50FDCD9020DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160122Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.517{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E428D9CA0507CB1D841D2B43819F71C6,SHA256=833B7061ED266BC39FC16BF500B480B3A8B2E88A9D90C369A2D4CF5C5B4C7382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118941Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118940Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118939Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118938Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118937Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118936Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118935Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118934Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118933Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118932Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118931Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118930Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118929Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.839{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118928Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.307{147D18E0-2ACD-618E-7201-000000000702}22242632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118927Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118926Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118925Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118924Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118923Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118922Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118921Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118920Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118919Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118918Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118917Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118916Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118915Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.136{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118914Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.119{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6DC93BFC09AB8A50A5AA36270889E9,SHA256=65264498158492208A76DE8E3BE0438073AC859CCBEFEC238B1499FBE280D5EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118958Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.651{147D18E0-2ACE-618E-7401-000000000702}2028288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118957Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118956Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118955Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118954Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118953Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118952Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118951Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118950Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118949Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118948Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118947Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118946Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118945Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.450{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118944Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434015352745FFAFC787EC77206826F9,SHA256=EA34135F6072EBD4AF97FB8922F08E340DCB59ADBB2017E6E19B5B93B99B8EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118943Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D6CD6BA9AF346044941F8B0272F4CE,SHA256=7C8574CE2A437C19132E32D413CA69E7DCD4C5FB05825E07CCD1F5866307187C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160126Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:21.997{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED86E1DC973A92CF78711FA84C120BE,SHA256=A0092AD78AC433D720A17F269E49DD11C45D9AACFC02DD4F3B48AB569C31D63F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118942Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.026{147D18E0-2ACD-618E-7301-000000000702}3628380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118960Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:23.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=414D482C20ECED0A875B89DC7C07A157,SHA256=12437B673307A6150FE1E49C49239CF997492DC7FEDFFB6F6EAD94165A7A5CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118959Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:23.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6236E78D088E7E353C9B712E9E954A6,SHA256=DA6103AC7F8B87C8960734BE447DE95729975DE7035EA44B15578D1D33A19E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160128Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.434{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160127Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.014{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EA78C9F13ECA5AD892952C4B8CB75F,SHA256=BB4454560FF0E20CD38299486AD97D593E061032BC9C68AE2E83A1276ACDF513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118974Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8A77AAE3E315E16F019840D45DAE83,SHA256=328E6E61515358171ECBD0E53142B51CF61C00F47A70325E2C57D3FF2EB1BBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160133Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:22.434{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000160132Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.734{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160131Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.116{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2967-618E-4B01-000000000602}1380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160130Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.050{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160129Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.034{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F17F03D31EA316098FFD0107C3126D,SHA256=239F2573E3E934A32E514EA294B68E73C7CB2D349FDE7D812F5BB8AE1BE48EA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118973Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118972Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118971Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118970Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118969Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118968Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118967Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118966Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118965Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118964Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118963Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118962Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118961Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.326{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118977Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:25.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219AADDC0B9EDBEE71A7C46A33FDE070,SHA256=19228443C3B0EB60C5927A6EB23CBA8FEA3F2748AF08141E79CAA8A96D9CB77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160135Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.219{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160134Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:25.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AF8E6DB1F479C0B932C546956598A3,SHA256=EA1A01530C1F5B025D60EDF5FEA6B96C17345139171A0CB19A5AAA656CB645CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118976Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:25.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9E2826A27E41D28BEA4D93E271C8D5,SHA256=92412E582C83B501637163F919E02695CA97E02A2DA4F402DDBFD2CF9D016545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118975Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.588{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118978Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:26.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B556A1F5403A93E2F0E3DB5C292B4,SHA256=4DBAE3CBA089885C1C67A2EBB97024FD1AC02A9AD1133553EB2175A6A019740A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160138Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.054{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DB8C677803AF166EF24C2C47D58500,SHA256=FF4FFCD95BCBA935E2AEDABF3CAD01E4EAEFA409C9939CBF01E16E0E57E34901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160137Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC89B1DBDEAD0B77EDFB089BBD2D66B4,SHA256=633EC925BAC3F3C2F6F66F1E50DA23D65C3C99A48A0141FB91F2650A57823A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160136Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.019{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9FBD2301F99187C6C71AB6E266DA40,SHA256=32569C0FFCFCE41A52AE1A264FDAFA7199416E1F39D509D3EA50FDCD9020DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118979Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:27.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FD03FE8B16B51645892B63331C4C88,SHA256=DF890880144764D91FC552A48BC9210BB9E6062086EF92C84297D46263C683C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160142Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160141Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160140Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160139Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82BF60AEF38864E8F5B30001603E60D,SHA256=2009880CB87E0A259C4E541A47F7760D11978DCAA5DCF6A47D45F78D7508E969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118980Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:28.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934DC816B182DB2A5E2D1EA63EB0850B,SHA256=6FE304CF4778A1AF3B0C6AF9E347C8EFF4C45210BCCFDFBF12B0B99D2366A90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160143Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:28.201{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EB8CB9E7FC132C1840F1763969523E,SHA256=492951B5F4136E059CA2FA1210C216DEB1AAB8898DB00EE9FC5A657BA0F24372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118981Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:29.729{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6232610B6623C478142422B9D12C2C,SHA256=68DC0BB624C41C9596B2BA849921BDE980EDD0F87B6D9D35DF5111C6AC15EACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160144Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:29.218{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02B61CE1DF32B790C73D358E8D82BC5,SHA256=8E0E8EF4FB2E89C9EE8049EFF72BEA0C0D0AF22A29A65B8629C15639EC1DFAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118983Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:30.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818743C7D229EFAFAC14BE13BA7A325F,SHA256=7BDF96A114453F9906F5E65A1BF78D69A22076E3EEA6BFFB316602E57DAF25D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118982Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:27.728{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160145Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:30.268{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D62C7051F47494BAD15505D3939551F,SHA256=B0AEE0267BDF876BF1C2425A3C4433782AD3D36F031EFAD4E0048A044D79E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118984Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:31.854{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2F9AB159E9267F67FEACAE9C8ABE20,SHA256=AC0ECE261ADDBD103934E424C33DD242F7FE894663A7BDECE761E4256893027A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160147Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:29.174{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160146Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:31.268{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B486FB5B1E2BCC15040E0EF80A53DE8A,SHA256=CA847E210BF1456FA2D8440321791B099104AE25207B701DD5E55B75845602B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118985Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:32.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B56056EB8D35A6CA89E5F5ADA5A269,SHA256=1F30BA3D5844C0430741B843E4DF4C9B26A3FDE19463399A8CBA1B7C1EE29A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160148Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:32.369{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E7A4DF43AC52FDF76016C34ECDF3EF,SHA256=C909FFF3B19CA030BE5A79AF49A56FE057B721145426796209322D27FE87713A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118986Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:33.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF210B9A9FC7DD5E4AEBCC37C4033C4A,SHA256=1F909A3C1BF561E20D8A4C8E4DA76EAD68CC808DF4DB77505397BF8C8A328A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160149Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:33.439{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76FC2D42B251037EA7A218DFF637A18,SHA256=07F5194F3CA8F293037931EE3774041F610D547CAF6B34FBF2F3205EA323E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118988Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:34.979{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7D587E35166E796D96D0801B2AD79D,SHA256=99EBEA1DA73BB89FC9295A9339B398DD4954481F6A08CDF482E654E49546F329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160150Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:34.470{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ABF91FA8827CA090B7B34EDB29D50E,SHA256=2FF6BA69A5CD45873138CFC24869CA29D25F564CD176347202232C87971D872E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118987Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:32.760{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118989Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:35.994{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED416DB6DF70658659F6ADFECE8DB0,SHA256=5B87C3A383C34B17670B8E2B983B0CDDFF0C2E99AEC60EE76E21551186987BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160151Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:35.619{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB201434DAF35A0987F3F3B686E57DCD,SHA256=9F39CBE91B464B5A9949D1A56A4F4261657D5FC626B1F29424EB5FF97AE84268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160163Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:34.260{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160162Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.925{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160161Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.923{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160160Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160159Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160158Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160157Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160156Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.921{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160155Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.920{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160154Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.640{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD2F02D2AC3BD75F9C5C64EAB5DD850,SHA256=236CFF25E9BE5D63E7ADB82BB416830984424496B62A54B9CE864BC6D7CFCB0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160153Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.054{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2973-618E-5001-000000000602}2732C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160152Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.054{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-0F00-000000000602}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160181Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.949{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B5D9513173C8213CF4F576CDEF90BB6,SHA256=6E192D8D7E45DE4C3E93D59010F040DC8B9B60691001E1003808274CBB9B39B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160180Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.939{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC89B1DBDEAD0B77EDFB089BBD2D66B4,SHA256=633EC925BAC3F3C2F6F66F1E50DA23D65C3C99A48A0141FB91F2650A57823A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160179Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160178Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233E-618E-0C00-000000000602}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160177Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160176Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160175Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2974-618E-5401-000000000602}2292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160174Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160173Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.656{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE897666E8F772AAFCFF23B6A2FB268,SHA256=4A8A61D398C91B70A5BECB5793AA3BE312E6A637275D45C066354E054935093E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118990Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:37.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B723D009AC8152C6411074478F83FD,SHA256=CBEA534A133015A920BD14669FC8CA1F71831B244E327837603E964E88A7EB67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160172Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160171Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160170Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160169Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160168Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160167Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160166Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160165Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160164Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.156{189417FC-2ADC-618E-A901-000000000602}59965604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160192Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.841{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58738-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160191Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.841{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58738-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000160190Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684B30C87EDE446C48AB270173DECDEE,SHA256=06B72AAD784EE31425F3225A389B17CA491F772F03B56887621311A3BC9DE0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118991Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:38.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5553A29A0D4FCB4CE646197FA9769E,SHA256=4EDC309391936EC80AA14062244F0D736EB46AEA6907464AC2F5E4C3BB5CAC17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160189Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160188Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160187Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160186Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160185Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160184Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160183Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160182Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160194Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:39.697{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8245D4B25190914CDA4843629ADA133F,SHA256=10A8617F6DDD49C297EF83194632ABB296E5D47796F3AF7EF49980604A82AE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118992Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:39.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6580CEC686CC60CAFA3C8BA94D23F6BE,SHA256=792229018F5B53195F9269C5CE523EB174A5326CB9FA8585093D65165CBBD32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160193Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:39.196{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B5D9513173C8213CF4F576CDEF90BB6,SHA256=6E192D8D7E45DE4C3E93D59010F040DC8B9B60691001E1003808274CBB9B39B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160212Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160211Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160210Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160209Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160208Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160207Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160206Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160205Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.877{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160204Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.714{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E33C16C17BF4C64AAEBEA3A6A4F3F26,SHA256=3822744025853E8D874378C6E0E5077523316731C7734D550E393F6A0812D98E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118994Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:38.760{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118993Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:40.291{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36ADC04ED1D14F5016BE66A5AE35CEF4,SHA256=4FE94444C257DF6E0B13E942024A9A3159F28BAD91DBC6AE0E2592D5D60A228B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160203Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.545{189417FC-2AE0-618E-AC01-000000000602}55646100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160202Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160201Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160200Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160199Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160198Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160197Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160196Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160195Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.362{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160225Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.766{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E3949E7EFA319E2419CC37423086DC,SHA256=BBE17E1C8898EFD85EA39BC73808A402418856CB47EAEF2617B2CB608181A0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118995Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:41.291{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2574FAF2872042B12E139DAD3DFCFD20,SHA256=C14DF77EF0DEE1D807D50DD71B2C86E16974549AF57C8EA910C2554E3E37B2AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160224Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.678{189417FC-2AE1-618E-AE01-000000000602}51605172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160223Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.562{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160222Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.498{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160221Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.496{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160220Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.496{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160219Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160218Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160217Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160216Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160215Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160214Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.378{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36366D2F6DEAA847B654EAE1626D47F,SHA256=079DC9B862923D6441A5CB667D6C49CC090C20C3986B7FB09E9A58E2CC930C8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160213Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.195{189417FC-2AE0-618E-AD01-000000000602}54765412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160227Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:42.819{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6350C79946A3DF366E22AF6DC809F5,SHA256=FFE622559C6E4A62004558A6A278755ADD0BCBC571BE6DB3DA18C79FDD9CC18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118996Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:42.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C498EBDEB7C6644473AF23101AA0473,SHA256=9D30D2EAF4F4A47EB8D2F40C24BB145CA80EA0669CD46A1C335ACC49B3707503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160226Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:42.550{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6211A7A364058ABA8A4D9FFD4557E7,SHA256=8758364E7053332223F03E5A0EE6819A49025C7469D4602C78030C70CA8EC2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160237Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.867{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF58A7107E5BF85A319A50D259A8AE20,SHA256=5A4F98AE9ACFA2B069B92000BEBF9968BCFD02D8D803CF8838BCB30EABC3665A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118997Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:43.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA6A9942E40F9B75F13D52A319867A3,SHA256=6AAAC49551840034D633566A426E8A4338CA0CDABAD8ABBFB82BDA272889871B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160236Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.539{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160235Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160234Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160233Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160232Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160231Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160230Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.533{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160229Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.370{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160228Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160239Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:44.891{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B301B42CDDEA40D592E5E3F31B18844C,SHA256=58F998C1534A2D289090FD59E559C67F1D2DEA9F3A02611FF439AA6B9692657A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118998Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:44.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9DABE4AE993B94706E42682D414C7A,SHA256=704460FCF2CECD6C636917FD421810A3103E5ECE5C19583AC46274F2835A840A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160238Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:44.386{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2EE2156872AE68D29B29D962261C141,SHA256=3D9BBD565E69DB67154DDBC7DF24880B7653D85606F1D9BB6E5BACEE8481CD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160240Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:45.905{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E27484AC92992E22BC86F9E655F752D,SHA256=ED14CEC594E16F7D5E70B8FF2AA69E21173324480D566320572EAACF808CDA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118999Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:45.353{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B1B6FC5506775C48F03AF559F3509E,SHA256=B6FCECF81E979B17AD523B7A719DA5C2DDBC2743A11AEDC4EF584E672CAEA3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160241Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:46.989{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45A9E0CFBF32CE90F4DF2A6F4B6582F,SHA256=E33285271A6C6CCC7B5CA2126C813DD197D205EE9A352677D028BFE82EC627C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119000Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:46.463{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD0EABEA0737323D6EDCB43066D0A5E,SHA256=5C550C83296EA712463C14F900E2C58BFBE2AEE184EA73B11F620BD9FBE4F340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119002Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:47.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654B4D85AFE412CB4920D03A3289951A,SHA256=5582DCE640EBAFA039E36BB8354D87EB915FAC38E0DF6E547CC4EE1F45C9D0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119001Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:44.666{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119003Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:48.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344F784E9B134AA9F5592F05759D88AA,SHA256=28E236DD871A1F91AE62C4EED2A13086576EBCBEE1760FD85097C622A63B26FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160243Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:45.193{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160242Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:48.020{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716700D47D54C1702DABBA79C895C932,SHA256=5F96E556DCADECCE4E885CE8CF18EC3B37D681BF0DAA15B3B9726968D9746C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119004Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:49.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4456159226F0BF2E0DF74AA66768BAF3,SHA256=E6FE141C7A1DDCB177E1721F706D73EE261B02BC2C9832F342890C23E32962A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160244Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:49.050{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4305C84E2B543E62F2B85981E62B2FF,SHA256=A4829956B322A6DF0D0961C26296705B5FC5E647B6690025A393308D78366CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119005Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:50.807{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E40A7A26A8617B419EFBBDCDEDDE63,SHA256=A71E670B71ACFE10A267250DEEB56317EF979CD02DF2C1C38FCD91234D346FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160246Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:50.502{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233E-618E-0C00-000000000602}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160245Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:50.068{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BA05388DE315EDE7F9E7BFC4FB0C4,SHA256=C976370506F189D94CCE7E47E1A8B195D0450D96B5920BEBE228A3F9A1BCDB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119006Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:51.822{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2050C62195DF27B6662DB8CB025179A,SHA256=AC0E9BF5564CC4CCA08108E6D7D08C369BE01C31A2C9D13C0456A92953D74158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160247Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:51.088{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A577EF8BE4244434C5F05FDD43046F9,SHA256=A063B1CABD18A848D3DA318E65400E216940DCFF1936FBE29BD0FE0F4D503C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119007Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:52.822{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEAE3479FEE3B3A7CA375EC2E8B014F,SHA256=5FB90288946C61224919ADBA3C9E7326E183771D357E512930675D2455414E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160248Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:52.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC65E902AAB6CFAD03E5AD3ED19CCBD,SHA256=8DE774A9287BD57AECF32A4F04017FC609FB2745DB2B2C1959120AB2E6DD8070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119009Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:53.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76E967E48976CE82EF0BC200C5354C0,SHA256=FE98EE64A2FCD8D7DCA56E57D7A731004B1B14ECE742C63E84710E2010E7E919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160254Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\9913MD5=5AB7EE429809A6E9B6A274095F07BBE7,SHA256=4A47ECE1DE3EAD842352E5F103D684B7AE00F1A8326A23C4E3A45EA337BFA130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160253Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\3342MD5=8365A2675C121766CEA19C2861A0B055,SHA256=DF1982BEFAA7375DDD1AC24598711138137F1DCD1B3CF66172B0710D3826DCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160252Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\30245MD5=587CEF1C44990177718F111818E8B439,SHA256=A25946D2C8072E23D05DF9EF4898BDA78E5D104E4F156D71013B652FBE017241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160251Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\29948MD5=36C470F68B6F0123F3681177E4F0AA7B,SHA256=3B8EAB3CE2A42EA6616476175BE76B73051CD6F676220DCF07DE300339A8A509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160250Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.474{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\29651MD5=A9F4A9FA1CAC14221C768D5827D66081,SHA256=C17B42636C15AD0D40F926484CB1F16F8B2830AAB0BF85098A908EE177DD05AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160249Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C93F8893A9E35BC3F36F9A78A4293A,SHA256=41CB519E79A56B49B11624596D4C15A942682C7ACC44F5B0226414119056AF8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119008Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:50.650{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119010Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:54.853{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D40BE22C97CC5DADA0BD5D1ACB0AAA,SHA256=934B5719451E657A661DC3B2400061A2B9BC7D9928ADF2E5C1B07C237DA1739E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160261Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:51.072{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160260Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.254{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\464d53c2-636d-40c3-8a36-986c70aee204MD5=D18C69CBC05F5F4F814440B3F4881BCC,SHA256=9067AF2FB4B0EFB9DF40E745790CBC490A0296E67DEA36E82E8A24145362830B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160259Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.254{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\2028742a-7a1e-436f-9dfc-dda9e0e46b89MD5=32C485766BA459256450A13E3E4496D6,SHA256=8695D53156DE97A4E07A69F1B7CA511CFA4AD43789C487AF37ACB82539C3229F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160258Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.238{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\31d22c12-1f75-4101-9be1-e6881a323d0fMD5=2927E70EEA85B4F95654A07FF3767F3A,SHA256=68B5938BB2E3ACF1971FA114267AF479B9A1D5117A3510CD86C147586B0CF068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160257Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74899288EE266E2133BA699A38420270,SHA256=06A925B379ED7C122229CA76F24E832C36F696439DEFD5391884CD40A0B39909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160256Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.075{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_5c341e8b-b393-40bf-a222-b7fa7980bd9d.jsonMD5=92642096A880F42086E7330849AC13EB,SHA256=617CE908575D3DB23C031BB6DA38F98955A3657C4ED64F212AAA5F4ED3DEA9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160255Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.038{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\session-state.jsonMD5=C7D9FE744E2EC3DBE33A57C5D6FDA529,SHA256=D75E9212AF4CCC68A46337CABF0B51F9D12FD2179D0B6A2E5D30F70AC8DF06EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119012Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.936{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF3DE5794B108C9EED302CFE2E5E7E,SHA256=6E4309F0B48209F4EB2140B4BDA84653EB8243B797FD1D73028FCC17D09DC1BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160266Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.097{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54269- 354300x8000000000000000160265Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.054{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50822- 354300x8000000000000000160264Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.048{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50576- 10341000x8000000000000000160263Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:55.308{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160262Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:55.175{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687CEF1AE6A5F1046AC44120CFA5BC7D,SHA256=787B9E7056640FC98EE6220D7B201BC2D53F9D4C950BA38601C0A69F1AD1E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119011Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.482{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-031MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119014Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:56.966{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA0027362206D73D87D5F8E2A8557E8,SHA256=902D673603DAEDE4B73B7DFA20616E66E4FF661BD39AEB8CBCAA234BFDEA0650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160269Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.391{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160268Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.391{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160267Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.207{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94760CFFC46D73304ACC8D1AD7599B98,SHA256=D2D51FE9AB7F7BC676FB2E845FFA8E593F7B33D0A5D4EAE7F9E745893A54C147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119013Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:56.484{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160270Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:57.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD06B364B1C5E2BB90B69A21ED60E34,SHA256=9CB909F26F019E8294F05398F3E798415EBF70075F4698BCB93FA81C1846FD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119016Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:58.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045DB840CE0B7EE5B2ECB064752A36DF,SHA256=90915B9591BB709081680A45AB28450B0ED813F3F825087FE025B80FF8BCF0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160272Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.193{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160271Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:58.212{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F858DCF240420DDD9D55FDA8DC27A4,SHA256=4639D2FAAAFC06C6E9CDB735CA5DDF318C6DD01482DF26E8A9410E0FC7E27BF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119015Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.748{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119017Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:59.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91500C5AB8B2B612D35F98E63B61F908,SHA256=8E4ACA71FEDD6556CD8C17B2E0CC9A7325922C942124227661FA7D836D624973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160273Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:59.242{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F06699DD10E25FF38278296BF8A2BC,SHA256=33AF6586A81BC8ADD5515B6CF0B8D2B96ABDB3F4D034E35B36A1DCBAF656E974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119018Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:00.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE9D104684B648D22F3798866ADAA31,SHA256=043D8626F1CF84EF7A2EC772FF2A302A741CF146D455B762B177F0DD41DED346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160274Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:00.326{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC7B44FDB6A5895D4C6FD0A5890CEBD,SHA256=3EE02C2E1FC00B4DE6B938D6A2A22C17C66F22960745E8BCFAE893410F4D2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160275Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:01.327{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D222B962417661EA8E07EE63736732E6,SHA256=CC02727103E2C9FC3704FB393F655BB36A142192F11C56A630F443654C3DF24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119019Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:01.357{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CDA7C10F9EBF39FF33C4189D3860F,SHA256=741FF36CBC4504AE8160AF010DD99190DD2A15281A509DC45225AF411EF5E3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160276Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:02.327{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2FD931C16F8A123966A289B486EF3B,SHA256=07E49C662FE78F904EEFE7175C5A780A8A079AB58BDDFC9AB6F904BBB5A36627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119020Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:02.373{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120C8EBC2E494E5A52F929BC1FFDACA0,SHA256=0B3573F10F8261B2158E4C9432EF93171BAABCC1D1EF900DF21D6A29732B6744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160278Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:01.249{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160277Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:03.329{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71843150F51D1CAC3EA4679A4617DD6,SHA256=A9A335200117AD3B573394C4201061F427C495EFEFABB0D3EEB058C08648B628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119021Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:03.389{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF526FC149AB3314F37D1C4400CADF02,SHA256=2683CD59E4F75F54616F05A057AFA3AC1B3C37E5DECD6DD9667BE83B6267B44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119023Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:04.498{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C33049490E6AEEFFE78586AE8C6845,SHA256=0C82AA75B94AA3F1E8831CFE2D8497A8790565E3DBE2185CC68ABDE0FD083E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160279Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:04.359{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3EC5D1E6EB41E49A3E07B3C37932C9,SHA256=B7DE225020E650AF1BF8DCEF11C6E3C344310269E6A0A7BF33F15695927E411F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119022Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:01.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119025Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:05.623{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D926C2568F7D3C06B7FE8B8F21640CCE,SHA256=6FEBA9BC2AC38B38E590654731A4F064C3384DC07D7652AAF2EE73AB687EFB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119024Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:05.498{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EEB63C7D26B4731DD88E8F8BFC9D24,SHA256=1684F91A1B89A8B78385B3FC57FABE8D89171F39B7BDCC3A13518AB85D07CD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160280Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:05.428{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DD2AE0296F3EE4AE500E919EE099C3,SHA256=093270400FC46A12E9F1CD5F430EBEDBE4CE94E3D923A1C555D9ECC358550137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119028Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.732{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DD06E4C69A81C57192983CE88C4F7C47,SHA256=82BD5F0198B1F7DB4072A28EA83D87744FF53659DA9F45DE1D187A97E716B4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119027Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.732{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=038F7A27DC2E21746B1EEC0BFA977744,SHA256=C7959995612F2A0D075786AE4A1FE73C2D209F07CF08FBCA33E7A71344A3F0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119026Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.514{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65088580190E834C8F26E796812C1999,SHA256=56CF3707A8F73CEA8FF00A5ECE7B3991E2A1900F772AEEBC5335C24402586031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160323Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.945{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A89DA44CEE9DADF0E7B3D47B1B3BF4E,SHA256=33F4EFB65C2317863E6E07FF789E1F1357BBE0FE773A158B852508FD2E9D127A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160322Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160321Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160320Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-6001-000000000602}45086120C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160319Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-6001-000000000602}45086120C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160318Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.783{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000160317Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.783{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000160316Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.760{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160315Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.760{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160314Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45085476C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160313Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45085476C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160312Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160311Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160310Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160309Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160308Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.729{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160307Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160306Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160305Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160304Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160303Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160302Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160301Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160300Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160299Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160298Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160297Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160296Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160295Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160294Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160293Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160292Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160291Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.682{189417FC-233F-618E-1600-000000000602}12521780C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160290Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.682{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160289Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160288Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160287Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160286Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160285Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160284Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160283Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160282Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.668{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{189417FC-233E-618E-0C00-000000000602}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000160281Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.445{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE19678A272E873D4821F64B2FF0E5B,SHA256=9C499990DFF1E00561F739017891E78FA53CCF02B7C2847A26041DF9B3BE23B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160341Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.689{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6714C0A8B49BF3CF4090B2ABF8E8BFF,SHA256=4296C7F79C5899F7923B23A00295F6B2988D7EF3EF67A45DA788DC3E51CD1D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160340Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.687{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E0F315D266C454FAC2E77BC925218AC,SHA256=293A2653E41C23278A8062AD7026C5A1B6639FD4071D1FA4A7CF99EEAC4CCBCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160339Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160338Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160337Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160336Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45085488C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160335Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45085488C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160334Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45081068C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160333Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45081068C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160332Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160331Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160330Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160329Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160328Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160327Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160326Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160325Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160324Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.447{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF1CDD62CFED7893FEF73AB51B7FF44,SHA256=1CACA1041A5DE5B7D09D4BB11EAB8F15C6E4E9D37605D7E6760A2A1221EE07C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119029Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:07.514{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9837A54432A3A6EE0CC0D0A424903B9D,SHA256=0649B4267B0B31A8D41D8DC9697DBA1DDE0AF00F85ABAE79F1A023912A04FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119030Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:08.529{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE54B5C96606A1BDD6C3161A487B2F4,SHA256=1F07C4F635EC2FE9EA7044CC9EBBD1CD54345A82B74F70221B5F69EBE806FBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160353Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.301{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160352Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.706{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\djymreij.cmdline@2021-11-12_085032MD5=BC580ABAD2C3CF3FF5A76E2D24664D1F,SHA256=3F6E4B1803684613E6D827342EDB89622420B1297F5611A6C24DDD97E0821122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160351Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.706{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7964F00828526CDD375C3644B284556F,SHA256=D4DE214C2CE612126C743F16B03AABACE3233CD64C6BCE09D509803ED91692E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160350Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.468{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9EEA08F3B82182ACDFB2DF84906DFA,SHA256=3BD50D0AD542E761CB9DD2AC049827062A2A555D7D90441716630FAB057BD59F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160349Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.322{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160348Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.222{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160347Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160346Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160345Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160344Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160343Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160342Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119032Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:07.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119031Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:09.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389BEBA37952852B3B2C7ED8FC8FE89,SHA256=73CB99B64C98D0C481744658C9801654A830B4900C15B913CFABB674D2BF84E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160359Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.496{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46E9953F1AD9BEACC5258F4ABC60BF0,SHA256=44CCF4E27BBEEDC9C6A6EA4FF3C96F983DD2F71637CBB9B43BCEAA62E833320C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160358Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.322{189417FC-233F-618E-1000-000000000602}4081064C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160357Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.322{189417FC-233F-618E-1000-000000000602}4081064C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160356Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6714C0A8B49BF3CF4090B2ABF8E8BFF,SHA256=4296C7F79C5899F7923B23A00295F6B2988D7EF3EF67A45DA788DC3E51CD1D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160355Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160354Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 354300x8000000000000000160362Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.380{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58745-false20.199.120.182-443https 354300x8000000000000000160361Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.365{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57457- 23542300x8000000000000000160360Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:10.508{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4BBD5DCA7F7024EFE9191352DBA263,SHA256=F92E53B29BF80C1A14719511CDC2E0BF8D1E84CA1BAA852C8F01C6E7E3D4955F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119033Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:10.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B63A34F4CE16B41322B89EBB08C8E22,SHA256=D2335C54331FFCA48B4BA498A451C6EC516ABCB8828C107AF8800A2B45552349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160363Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:11.538{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFEBEC8B29AB00980A5BA491275B3C1,SHA256=891319EA2E7C119F2156A7387EE41E7A67DF0057D8922D60D0F4215D9EF6756F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119034Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:11.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3877C6B6AF7B0DC6F2AE18FD5E15923C,SHA256=57EE4DCF3EAFD44125D05BEA4265CB1236C2805F48CD36D2DCE92034141056F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160378Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.708{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64168- 10341000x8000000000000000160377Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160376Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160375Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160374Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160373Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160372Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-2975-618E-5601-000000000602}19044140C:\Windows\system32\sihost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160371Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160370Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160369Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160368Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.540{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEF110E345B6215334AB94D6ADBA12F,SHA256=10B56F7A4C7DD09CC9A6D65C6A651DC63C7AF6D4E0808857AC2540FEFAE49F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119035Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:12.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EECC114CC53A299642E510A3AFF890,SHA256=44130874EA5233D4E4C062AC8F7FB376BB64754BD2DB32269DEB782D6A7C1E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160367Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.305{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160366Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.305{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160365Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.303{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160364Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.303{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160379Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:13.556{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD7E29224A0B0ED115E6877DD9CD172,SHA256=610BCB4742ED8B885EBA1F317C84AF1907DF957C0485AEB8CDC14D2539743499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119036Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:13.592{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A679DEB43E5F57A28E04E8FE91134B,SHA256=735D803BEA4D1BB2077878D31681F52CCA86F5CCBD919666D84374E5864A12C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160382Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.209{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160381Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:14.607{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FCA0299121B32AFD9B7CD5F73CE95,SHA256=E3B51F00E57DB9E7E5226E59C5E9A1D8D5C6F021C9B839C8B3F5881C722D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119037Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:14.607{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F584921483F9DDB22E68E6F13F421C,SHA256=72D66FCF28DDE598DE76AE0A7EA90FE20A580A32920927C2D3557EEEFBE515CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160380Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:14.174{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-031MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160384Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:15.641{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F52890BC3FCBAC615C7E703AC3A16,SHA256=894E35843D95926EB54FE7A992558222AD7703F0A81D100952397167BA1FD47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119039Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:12.779{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119038Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:15.623{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3CF0959056A7EC2DA08B96403469CA,SHA256=D060E25E84524DBF06E98C9F2D41566B08E757C4C30F7818BAF58728B2737C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160383Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:15.187{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160385Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:16.644{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98118E67FE06F03652554360B8EDFA5D,SHA256=E1DCCF5D8A5E1CD06893E7FF945E24E38F1B4850B4ED5496BFF401E31E0DE92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119041Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:16.670{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAD837D5F09A7BFE3C82F2CB01F25B0,SHA256=E5C6A44C29ED0B42B93C9D95CD603F2D7355A2118BF06BC89620EA0D892A3102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119040Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:16.295{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119055Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119054Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC51464DB3E94B4E7A2E5C1EFF3EB9A,SHA256=C4DCEF18A6247AEDB1471A5B8940366E1F6FF05D2D729C48E98188ADA83AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119053Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119052Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119051Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119050Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119049Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119048Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119047Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119046Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119045Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119044Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119043Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119042Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.796{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x8000000000000000160387Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:51:17.743{189417FC-2975-618E-6001-000000000602}4508\UIA_PIPE_4508_00007ba3C:\Windows\Explorer.EXE 23542300x8000000000000000160386Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:17.659{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3E1BEF2BD68BBBEBF72858829E92B5,SHA256=B8C1D51EA93D29C017EE0588BB61B9AE1137E59967E474FBE84F138BE6DAE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119072Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A7AF5B726F407952784479095C317B,SHA256=3E1265E97E227C9068183FAA375F8AB0A2664E26E08CDC8F7DCCB813A9C30B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119071Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8FD82DD4C0D22D3C65127C9317A4BC,SHA256=877996688B9F9FF3F67D39DAAFDA7D758D14DEE7F8DD068D6725864584C5CF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160388Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:18.675{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B77D1B074DFF5863B769315C874F89,SHA256=C5526F09A3C7885154279F2132926B037C27AB1BAF6DAA8169946EF2B6D055EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119070Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.732{147D18E0-2B06-618E-7701-000000000702}30522500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119069Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119068Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119067Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119066Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119065Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119064Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119063Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119062Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119061Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119060Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119059Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119058Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119057Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.530{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119056Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:15.826{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119087Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21150AD88513561B262A184C6BFA5D5B,SHA256=3F4B861C8437A0C3B8F624847819426662EE98C061B4FB1B321E15FEAB622F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160389Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:19.690{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F525B9841B07C0A90D237DA692F3A06,SHA256=735585752E99AB292B6CA0266812FF054FA24DB328B09E1FAFB5F36F3265F2C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119086Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119085Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119084Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119083Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119082Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119081Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119080Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119079Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119078Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119077Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119076Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119075Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119074Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.094{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119073Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1068E5D16F053BB45EE43D393C49A91B,SHA256=6BB4524E50B16AA2F75DB5FF2BDF15EAAC1EB0F5394BA5096C59DBD869677F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119089Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:20.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D724F29D1F6D92F392C049BE345808ED,SHA256=5DC4425C217CEBDAF2D419EF4F2F96C4621A455995B61F8E1475544290EF417F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160391Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:18.096{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160390Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:20.690{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBD34F59BBD0095A5EC66D79E99895,SHA256=6FF6A8C7E1FDD51186859BEF147F4D6E246BDCB89B2377ACC1426B21973ACEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119088Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:20.092{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A7AF5B726F407952784479095C317B,SHA256=3E1265E97E227C9068183FAA375F8AB0A2664E26E08CDC8F7DCCB813A9C30B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160394Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.716{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ADBE3B220A5EFEE19B3BB5625257FA,SHA256=BAF6FBA665CB92C5114F73A94E4FE7E6A14F6440DB69ABC3B0DCB22B387CBA88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119117Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119116Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119115Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119114Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119113Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119112Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119111Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119110Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119109Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119108Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119107Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119106Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119105Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119104Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.733{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119103Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.310{147D18E0-2B09-618E-7901-000000000702}24082856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119102Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119101Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119100Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119099Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119098Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119097Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119096Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119095Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119094Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119093Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119092Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119091Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119090Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.139{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160393Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387E121967E82BE2D5EECF5F185666B4,SHA256=2D148F3C999F53E8F9ADE4CBB4DCFA0AF32A8DD7639A732285393E614DC98035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160392Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C3BF726C48E0018AEF780DBD7BB4614,SHA256=80CC60EA6782C92270A0080FBE5EBDC2D7399ABF2E1299A3F1E06D94EB24740A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160395Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:22.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F712D3D7EE76C8DDC4CD593A02622396,SHA256=CE1F5ED841113A7857C771B92442B6BD728A2F06E527260BEE664C8468616226,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119134Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.654{147D18E0-2B0A-618E-7B01-000000000702}968956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119133Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119132Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119131Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119130Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119129Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119128Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119127Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119126Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119125Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119124Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119123Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119122Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119121Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.514{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119120Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.373{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4AC3D6AA5101ACE6D05D75610375FE5,SHA256=65A6780664D8D30400F1CF9D41A1A1B4C8EB8C337ABA4D4F9D09BA962C2608CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119119Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.013{147D18E0-2B09-618E-7A01-000000000702}26963968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119118Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.998{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEB4C871721851D4F9B93C89E3EA0CC,SHA256=07F00F0A51005BBEAA4C607122F78E4F0160A907D8EFE2DE39C628F7162F87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160397Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.862{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045019031CEB658D7AE99568E1C933E,SHA256=497CFC5D3D4A23724FF62CFA290D6994A53C40F197898F4230B866642C999552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119136Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:23.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE0C8CD7E073AB000193065C619B00,SHA256=4900BFDE4FE8013F58CC6302F878E489E4C0BD706CBE239F9E7BDD16EBC76138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119135Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:23.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF78317E5E35AB29BEED069132A70E,SHA256=53BB380F037290877A4A04FFB25EC593DE271708FE2A5446F97A640E22A40065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160396Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.462{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160402Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.877{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C179EA0199DF542D71377855C79631D,SHA256=0ED4E64321259ACAC54D1C53438F66D535D657F3B79BD3ACBFAFE9DD0153CE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119150Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6366BC5A6FFA27418441FBC7AD56F067,SHA256=249629FB7993D5B066C1ACF22E34175F87E8CFEE693915FAB400E8672C90C1B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119149Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119148Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119147Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119146Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119145Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119144Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119143Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119142Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119141Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119140Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119139Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119138Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119137Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160401Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160400Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160399Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160398Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160403Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:25.992{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6BC998AAA7941E28FEBC055BFB1FE3,SHA256=C642B02B776E8ABB39AFE948211045B0855B8B8910F9E42D2D1125052413524A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119152Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:25.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=709FBC8472BA67415F9231C8D33AA6C6,SHA256=559307D223F3ADF12E8F3EBF630420EA0CFF7BE2DA5829B4C1324512649EE47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119151Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:25.357{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F1CF76BD45797D5E4F89D2514A0346,SHA256=58C8166F920E40D19BBDA8F5C26FAB397E15B0DD003BA6498DBAB7851C61A1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119154Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.623{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119153Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:26.420{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE646BD3DF166945F6891E7806A910F9,SHA256=D63810FE7CC85F65279C135231B20D179C9A49051B32FA7765664BDB59B3E161,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160405Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.236{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160404Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:22.468{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119155Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:27.467{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC08A7EB10F54C416EEC8EC465389506,SHA256=E4620C8ED5D4A3692C5559DCE2C17C75158623962A6060AA6738FBFFC89E9EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160406Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:27.029{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22874727BE7AF05E22EE7D7FB70677EB,SHA256=6E7FD18E2A2CB73974A93B8E380E1CA6CF1A8A2A7B4894A34598793A62D35150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119156Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:28.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62545F939A4CEFD610F74FB079605CE7,SHA256=30196E19AB3F6DE6F35ACAF483DCDC7F6CC0807389BF9C8C86F4D1177638BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160407Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:28.059{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6998BB49D8A93C85B8A44B40AAB852,SHA256=B64318D3B135DE7AAB41DE85BE118BD65B0597ECB22C0F9B16A1C5A29030BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119157Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:29.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924C130DF7C25A37BE78FCB6C9DB9C53,SHA256=DAF5B909019969466B073F26C8F8DD56940FF5350E4354A65AFCF68DC685494B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160408Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:29.091{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA689DB17DA18391FD8541AB82E420,SHA256=B88DCA22FEFB8EEB3F6A0995E3A43BD3F54419C4D8A1E3F72FF122DB102083A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119158Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:30.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635641054F56CC36D59FC2D8DCEFE8D8,SHA256=CA7A1DA43EB5479BC9C352DC245D5DB12A7E4B4F631A02C2794286118CD58256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160409Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:30.128{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF68DA247E5F3C9CDDFE694F62BFDE,SHA256=5A43E1302265331EE8B8450E41DF45D0F232F56068FF0A406323007ECB558CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119159Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:31.592{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926E222D70B9FBD64D6FEEBF0898AC72,SHA256=A42F5CAC61643A1BBE43B87FFF3062907CD2A654B605596CC812F42A9F76C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160410Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:31.143{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B943ECFEA5B4314AAABA6F8156ED1D,SHA256=FE35CB03D52912F7EE9022D8A59147CE0C3B273694470E839CAB8E961DA12B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119161Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:29.732{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119160Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:32.623{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937D188DBDF6A5C900D5F25E3D0E0B45,SHA256=426E4708C8E4D243B9ED53BA8B6ECC5B2D5D8D35BB0F392AD29511D1E6AA3FED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160412Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:29.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160411Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:32.227{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0841ACE0E07A615F26F4D258EF54CBFB,SHA256=EADAC63A4D4109E26EBF55848C684494E05789AB8AF9E0EF56904C3418ABB4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119162Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:33.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEF5B5E52159FA086FE003FC720620,SHA256=C1D7797B286AE92248E8F22240A43351DD3FCDA4953203B6865EAE786D5B13E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160414Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:33.227{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EC77C868F45E4A819221B3092ABE2,SHA256=F3A2495008998E7F5DB56A388682342B3B91D00998E9878182D2FDF2AC2A5E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160413Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:33.174{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=BC729CDE5BCA62C0B5DA0480F883F648,SHA256=8831999A888EEE9BD597D4B1F289C00A4BF93C331C5242DB8400B09D85C090B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119163Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:34.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32AE429B93AFBED817497F6CD798BE7,SHA256=5A6F144E54D55673750CA824920D88DA898CD00A01849C796F0B1B9C3211B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160415Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:34.257{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6DA62FB19E9E1A585482F4E9180149,SHA256=EDADE5607C6FF2A6E36B570E18A9DF64EB692D08FA4A6ACAED9D4D2E4513CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119164Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:35.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F0689D546646A6140E3A8E451274B3,SHA256=2600F7691AB97D1A3E88A12F0335569443667AA8417D8C46BFE5E2CDED358394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160416Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:35.325{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A54A1A5DCD09B97E95394EACF2B3AA6,SHA256=045F287BE65FBDA167E9337B19DE5EF41406FB13D397167346911CF952C7C1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119165Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:36.763{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D6D3874E57502DFDE8A026762264FF,SHA256=3EB503CCC1FC4F954A72A65D156793B7F17C569466743282F3F011EF0E401950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160425Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.955{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160424Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160423Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160422Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160421Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160420Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160419Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160418Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.926{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160417Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.355{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEC62EBC55706AB103C4C62BF3E1904,SHA256=0113BC4F7031EE0265FE89C6F690360FC1640C38C7FD90173F7A7BA29042AA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119166Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:37.810{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8615DBA994A85D5EEB4D3C6C2CC000F,SHA256=105F71EBCD671962E9ABA7B0C568BFD56B810CA65CF1234ADD62C0CE1247F8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160437Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E49A79321E92949B77E6AC8CCDF88E4,SHA256=6A0CC18B61D708C411C4C9EE8143B74E796460A9C0900D041DA1576B6E6061C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160436Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387E121967E82BE2D5EECF5F185666B4,SHA256=2D148F3C999F53E8F9ADE4CBB4DCFA0AF32A8DD7639A732285393E614DC98035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160435Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.769{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160434Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160433Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160432Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160431Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160430Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160429Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.766{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160428Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.766{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160427Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.387{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6A29F903DD1DBA20F8850B5577E675,SHA256=FFEA4077C9C08884DA65FC25BA18DDF02B3EBBF3454B99762DDBA17852AEA133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160426Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:34.225{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119167Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:38.810{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C764A2269617E3677455FF39C45226,SHA256=04702DB8028ADF37E327C0E40F92622A7D69A56E0C05C63C75349CDED5E76EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160447Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.541{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D23EE026A4414215AD7D731156665F,SHA256=512E73DFC75CA1F816D23C4567F70940CA94C672BE2A039A8FAEC0D305C06B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160446Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160445Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160444Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160443Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160442Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160441Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160440Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160439Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.442{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160438Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.010{189417FC-2B19-618E-B301-000000000602}47124016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119169Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:39.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F805D24F51705365770C960B87AF5C45,SHA256=AEBAF3CA2FBF3A6B2E53B488C26D849E032F6DF038369FE0C0A643C0074FFDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160451Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:39.557{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C27CDCB1B71A98F78CF95BDBD8258D,SHA256=36EA9ED4B1271D6854DC79E2610C61B2B1526ECCF70704CAF052118BC58BB338,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119168Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:35.623{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160450Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:39.442{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E49A79321E92949B77E6AC8CCDF88E4,SHA256=6A0CC18B61D708C411C4C9EE8143B74E796460A9C0900D041DA1576B6E6061C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160449Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.856{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58752-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160448Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.856{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58752-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000119170Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:40.842{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66397264468C3A575614CBF486F7E13,SHA256=BD510BA25FB739E24985698050AE9F6814F7D76733C3DA013F7504BECC242EC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160485Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160484Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160483Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160482Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.776{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160481Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.774{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160480Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.711{189417FC-2B1C-618E-B501-000000000602}60925564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160479Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160478Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160477Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160476Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160475Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160474Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160473Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160472Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160471Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.658{189417FC-233F-618E-1600-000000000602}12522132C:\Windows\system32\svchost.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160470Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.658{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160469Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.642{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160468Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.627{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17590675E35D00C33832A1C303DFA683,SHA256=BF2E65352987E46CBE20C98314BAC2377C471B0FC91ACA7566130A6480627126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160467Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.611{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160466Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160465Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160464Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160463Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-2975-618E-6001-000000000602}45084276C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000160462Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160461Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160460Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.569{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319"C:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000160459Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.377{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160458Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.375{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160457Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160456Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160455Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160454Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160453Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160452Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119171Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:41.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0960025BC174972CADCC4A7828AD698,SHA256=FEFCF5CD54AC16019C81F83CFF07DC54A6BA559459227427BC3EA514F73792A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160504Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160503Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160502Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160501Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160500Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160499Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160498Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160497Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.645{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160496Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9522574DC3D15F23A349A0799B5C53,SHA256=7FE44858D9269243ABE96D5D583F18CF7EC5F098E81DA5316CD916025CF38CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160495Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC83EC71E513279F2F4B0435CF07529,SHA256=2CC277CB4E0EB7FC82B2DAE342E68DB30BD0FC62A6C067C573DBEB218AAC1279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160494Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.327{189417FC-2B1D-618E-B801-000000000602}55325340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160493Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160492Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160491Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160490Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160489Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160488Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160487Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160486Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.044{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119172Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:42.873{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38B000852698413D66FCA7B9F5B12F,SHA256=E5BF670102CE0EFA70BF8F9070B5F7888A4D36A1E11A280D64B58F96699BB2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160531Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.785{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500115740D85FC255CA3DDDD1DC806AA,SHA256=E08EA076013A22C5F70AC3E3E85A5A8156F2DDE0FCE80CE0076957A2EDFE3587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160530Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.651{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFB7BB02AA48606382D8404132C1A83,SHA256=D93204CB925101E8DA4FE62E98BAF65321442DB364541F5DBA25576387F480A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160529Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160528Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160527Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160526Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160525Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160524Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160523Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160522Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160521Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160520Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160519Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160518Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160517Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160516Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160515Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160514Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160513Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160512Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160511Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160510Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160509Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160508Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160507Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160506Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160505Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.145{189417FC-2B1D-618E-B901-000000000602}58324836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119174Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:43.873{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE8703D9AF248DDB1C651E036DDB2F9,SHA256=CA512D9F19C9C071DAA2FB3D10D46DB9FE3DE2AE29184B873D09796112D9CED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160541Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.785{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F091F416C47D09D812ECE0ED0793EC20,SHA256=1825A184C9655DB1FAC516360E2D32FC5EDDED5F27FA141B77E054D7E91B50AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119173Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:40.733{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160540Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160539Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160538Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160537Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160536Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160535Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160534Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160533Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160532Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.370{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119175Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:44.888{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C487FCBA89AB9AF436EF9B1EA03062,SHA256=542E4498C41E51D5633076123204B9D22BFB9AFC404F8F5AEA35310543A628C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160543Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:44.800{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F299B77A151DDDF96BDD946282AD06AC,SHA256=14D66768FE15A650A167F1F173A46C088D02538B850F1897733D77A75355E51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160542Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:44.400{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C040B4CFB3B29E7D4991957C849BB07E,SHA256=0A85068E65243A2A713953F8692FD7B6F2753C948E70324B062F26565D3B03D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160544Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:45.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DBEA2A09FF9B0EBD4B80320B32BCC3,SHA256=C5571062187EDBF6608C4A09115E1DEF10F9E27A45DB53D2C4CBEC53FD2267A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119176Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:45.888{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCAB0EFB3EE2106C843FC918FAFA603,SHA256=0078C455B593D71CE0D191372ED918E0E09F090D2182441B627E30D3CFCD888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160545Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:46.830{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD5E335B7DECF861DED63B1EDC3BD15,SHA256=CA8F825AB8ADE592B59AC0239D47856705EE34E762E49914E05722DE6F015D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119177Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:46.904{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73EE8534DE858290C7F610AF023122,SHA256=8F9F411F7C71A32606CBA8AC257EE143D2FDD0DE1F0E210A0DB822A00B1B0612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160546Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:47.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD3DDDD0E43D1A4A96BF95961D1DD62,SHA256=FDB191F64AB0F3EF8CCA97A122246449EFD1DE30985770F209DB937D4C951AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119178Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:47.951{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F97E91EBB19583E21CC3A5ED2DA9DC,SHA256=D35AAAC3CBFD78A1C40848A7C6CCED4E28041E83426B059D707909322DA8B312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160548Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:48.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626F69DDCDF0F9CA43043629391EAD5F,SHA256=54AE358C6D5AC6FCAF88EF1076C7DE6ACBED2415F1DF2A98D66DAB8A1B31CCAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160547Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:45.252{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119180Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:46.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119179Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:49.013{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DD6F779F106279A2A58A42754A6D8,SHA256=7F1162A07227842D79DD5BB89F9F3323453EE036A59774DCAED64206228537CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119181Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:50.060{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5524D6EF36F36AEE535FD9E43A11F6,SHA256=977DBB134E6C99CACCFCF49D3E654C58B9923C6709BB5E725F0102FDE7D982AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160549Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:50.013{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162F60254AC0769FF2D4D025AD280FB5,SHA256=352AA83EA9D0727DCA964254682C99CB200758BDAA131F9492BA1CEC8CE14DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119182Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:51.107{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C03CDE03FA10460C1B4F610045BC7D,SHA256=653D15751DE9A2F4EC3DDA4E1AB781F8C60671BC5BB0F2C7C82BFA7787DF1C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160550Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:51.028{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9935391CAF1795B8B966781B183FF0,SHA256=A5766165A09CC30EEB22341E94843B5A6A0C82163AF7C6E6997B5839B467BDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119183Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:52.154{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A32B6897E4280DDB3503DE67818CF,SHA256=E14AD04B0917539DCE48E6DA55F8999F0A6E998C475B062626C72C3366CFEC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160551Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:52.047{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5572C034DCB08817AFD1494C94079F,SHA256=05B54554CDCBDA1AD71F820DDF7AB665021D8AE8DB1DD3959A9B642E32B3E2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119184Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:53.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7D51DCA38B489E532A897B01F7C21F,SHA256=615382A4AB8C07DA3FFE04A158DE8BC4985ED31FAC3ED1029743238AC0848E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160560Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:51.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160559Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.083{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94ECD08D541E52D61A59116EE9E3F8E,SHA256=5279A46066B83C0655DAC403B906E9E30D84F3D91E172C00A8BC989D87568BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160558Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160557Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160556Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160555Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160554Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160553Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160552Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119186Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:51.686{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119185Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:54.310{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBE93BDF4145AFAFCA0F8CE0557C2B,SHA256=15AEDC6FD7E5E9D72F3A10C09E033B28413C2D5BD377312F59CC7E5DF45D405C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160565Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000160564Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160563Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1f06df.TMPMD5=EAE1A877F1E70EC6E8A1C36B90B5FD06,SHA256=37A035AE6A66F2C57D61F6A22DEF6393BBEDA1F046CDEB7E66F00B2E3F5ED69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160562Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.169{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\startupCache\startupCache.8.littleMD5=6B8645E1FD352912EDCA5C1E55D66A4F,SHA256=A8A711480C556EA1A2EC9397CDC3F616DB14C4FA61249B47472A4CDD1495FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160561Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7739A03E13F8876C87A3CCEBEC6D738,SHA256=326E0E93B9C9ECF6C386F4AF8142ED5B3590DF350580964EA9E62903521B54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119187Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:55.420{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F3AEE8749A4471E9DBACCA74F49286,SHA256=93A039907F59460CE240F95F32C906F7D875872EAA0BDCE5BB7CDC1C5F47FCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160566Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:55.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF875E9C32489F67CE074BCC7F05B69,SHA256=6D072D81BB9D05C717BAE8BBC29A5C99C79CCBC2CC02EF3842CA5B237AC0DF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119188Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:56.530{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3A8801FFE869EEE69E2FD3F93CA07,SHA256=D59FC2AF5BA9713F4986225B4DE6D6C945455CC79578FBA9A5EFFA64331C6DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160567Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:56.249{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7452E80D33F9EBB995F61B39118F22B3,SHA256=7A360D4329A797A9E523293555DDD0780F673FB7E46EF233AA69B8ED30AECA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119190Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.558{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6B28A38EDE551433B838E89A754D5B,SHA256=F575651195847AE6D0E933A8CB036297AAB7B41C61DE0970BAD48D924F14AB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160568Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:57.269{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF389F71244F7AC1FAB7DEE99FF559F,SHA256=CD335B8AD59A55A8F8B376CA16148922C0980821FED68CD54FF3262DA3658B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119189Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.002{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-032MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119192Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:58.574{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061B940A38A3523A88D84041B240EAB,SHA256=C459CF5C71E9557E752ECD2255B605DFEB5E36B0C07BCFD4C94B5F4447523AFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160570Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:56.255{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160569Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:58.271{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AED5BBBC3BB4616135BBEF31DB1F3E,SHA256=EAD84F29D27FD4A69F84BCE4D226F2FC38B5B03CFE65F94A0754FA8A74ED4624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119191Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:58.012{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119193Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:59.809{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302FEFE709721C66C30E12C22D736415,SHA256=AF0527E0EE3847BBB43FBC3AE97C88815FFE6105CCF4E6D67918F27665EC59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160571Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:59.286{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB83D676D4E3542D1E44512D399C18DE,SHA256=D06C057A28FC300E3471D1DD94C78230E57C637E6E3689ECA2F321955C296756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119194Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:00.996{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819B20A81AE07562B476DFCE9C0F7879,SHA256=81D521AD9D0C0A07D06BBED583DB5863C1EA8BE98AD1E1E45909D3C55E77A430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160579Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.385{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF6BE1FF06FA596D17C2BA84AD34A59,SHA256=F160775008A4F69C46C09E23C82F205EE774E543B76C56B893A36692A743E84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160578Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160577Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160576Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160575Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160574Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160573Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160572Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160580Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:01.417{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511AA083441E4D53C409470B075154E,SHA256=BB13480C7B6DE48AF1D13EAF760F035A4B58ADC2DD3521F7E9A3260162023661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119195Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.619{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160581Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:02.432{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E67138676582C04EF7DFEF327E05C,SHA256=8939B032722EBC0646C041FD94E7A13DD11CA0BF28DC2ACD227577C7A73EFC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119196Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:02.012{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E298AE0CF393FECA109034B2A8D55480,SHA256=2373AFDA229F3A8762BD047F5A3B6A280323324E5FF4BC089D7D1E126E8872B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160582Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:03.434{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CDE22D47CEA6AA3F94B08330622221,SHA256=9F03902C30937C72D87FF70042920792AF197A9079733B29941A173B937F5D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119197Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:03.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF54E181263FA06B0A886E6A49FD1C,SHA256=ADE3121FE3D5D0753040C4EAF5987DCDA2989F5555C5FBAFB06C44E8E083CFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160583Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:04.448{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7CBC5C43DA87CE1DA35EF6B7471909,SHA256=25F5AA76A311C3E3B92D3CC92E457F3C36854873A641EB225327E7785CC836EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119198Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:04.043{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5146CB1454678D99718971AD31A4C633,SHA256=FCA35CE1339868C6622CDF9DD517F1BDCD0A2B4B483331EA4280BAFECA6FBCA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160585Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:02.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160584Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:05.448{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D74521940BE9F6F313D351CCFC75237,SHA256=077A8C0F5743FFEBFDD2205B417877F8BA67C7A08F07D349C66BD19738C04830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119201Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:05.637{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=40BBEB91B616D047551847839BB1F969,SHA256=5335D841D6C27829EEDFA73218194D4E72EB9D47B828EC4929FB6D130A2CC36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119200Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:02.778{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119199Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:05.059{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE61CB09B11650D9377E55C234FE074,SHA256=9B05A54F61ED6C8FEFC4B1EB94B5F5075BBEB8460A2ECC7B2F98BC47854A8847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160593Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.470{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3883C60B837CB1DA109D4F6088339,SHA256=436C5C64BADD5D5CFEC02644B7E60315AEF69A739F620D464D923EE41638828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119202Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:06.059{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBEFD3C5553006F2BCC768E6F5EC76A,SHA256=D1AD32CB3303BE95DF084BFF2E97BAA7C4F670BE7BEDF3842D5DAE5BD9CCFFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160592Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160591Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160590Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160589Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160588Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160587Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160586Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160594Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:07.486{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775210C18840CBDF9ED91A7C9A40684F,SHA256=D777E695CEEB13D112FE8DC0EB49E4B2C540AFB7C0E56D17ADA1A8DBE9E8D161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119203Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:07.074{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87700CBF007C72EEE8C4BFED1818067,SHA256=EA79F15130FEEEF875436862DCA9EB39A2C8D484C7A2AC6E315785630A3FEEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160596Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:08.716{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9ECC3D48AD65B6A5B9C989DDA70F8332,SHA256=770006E669B3A6E61818A17E7CFBDE5D75AAA07552B92F6EEE3DEFDC7F16D30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160595Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:08.501{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66444EE008493E9AD08FFC39AD4F391E,SHA256=2FF5EE32519FB3EB919ACD3E965F2A93AC8AEFD5026499B8A4C9CC3339C8B5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119204Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:08.090{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00539F5D84F9567DB99052F0A78761B4,SHA256=0F3C16B6D6EE23C488D88AF98E7AAFB36C2745435A6633A803AEF78D18090440,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160600Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:07.169{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160599Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.516{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA96086678AAB3D394E5BC860EF67F9,SHA256=10FCDC5366F952D2CFD16E50A17CDCC58EC50D9C88C4B6F5A15C07A6D273A6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119205Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:09.105{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9E76A06270DF8F196B96BB3F3F92EF,SHA256=1EC16A1A0BD1085B6B883CDCF671FE403FF3FABE574572B173692E21BC73B679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160598Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.284{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160597Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.284{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x8000000000000000160601Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:10.584{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478C375BCF96F81CA6EDEB20E5BE7479,SHA256=3FD72ED6D6F907A6E6B635AC4E3D70401106029CD3913FB665CF028475C403FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119206Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:10.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A898EA865CA46F86539E45C3F9DC752,SHA256=0B8A6F9F0BE34964E843622E1E816A9F67103A52A4A52570EE346B7DFC725ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160602Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:11.645{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDA02904A973B305BE7463A533CD731,SHA256=20C2C721CF7CDEF73592A73249944ADD8C8B250C68CF2F4D274FA6E6894B92C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119208Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:08.622{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119207Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:11.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92643A54D079BD034598A2A53BDFE596,SHA256=5F44519FE86264D0F9AD7B789D4F39D28DC335015F5D63B7360F3CE71FB5D6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160665Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.946{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160664Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160663Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160662Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160661Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160660Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160659Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160658Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160657Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160656Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160655Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160654Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160653Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160652Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.714{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887EE1E387883D6A7FF3F14991C76E5F,SHA256=F2968DCB29C200A9C194A30D34331884D4657CDB449BAE4ACFB2339EB60BDCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119209Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:12.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A17C49F1F6977FCF51FCC28222FA8FE,SHA256=DB13F5A5A8105EFDCDD1E8E0767A4793FAEE33AE657CA10DD6C6B67E7CA350AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160651Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.568{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE48C3B6C817ADBACC2A0D4E819B08F,SHA256=0E83E35F4ED0B8FB956E3E3E3911605B51398EF4B0573F9EE3688B31B100BCBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160650Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160649Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160648Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085484C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160647Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085484C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160646Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.561{189417FC-2975-618E-5501-000000000602}27085940C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160645Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.561{189417FC-2975-618E-5501-000000000602}27085940C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160644Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085996C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160643Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}2708864C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160642Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}2708864C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160641Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085604C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160640Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085416C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160639Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085712C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160638Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085604C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160637Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085996C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160636Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085712C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160635Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085416C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160634Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085804C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160633Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085856C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160632Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160631Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160630Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27086076C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160629Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085132C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160628Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}2708596C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160627Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160626Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160625Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160624Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160623Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160622Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160621Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160620Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160619Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160618Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160617Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160616Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.266{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160615Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160614Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160613Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160612Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160611Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160610Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160609Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160608Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160607Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160606Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160605Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160604Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160603Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160685Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.914{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640E9DD8BBF63BE25E35429564F5557E,SHA256=07BB330ABB03C10456598CDF639F1695485FB40CE88953454DF4F3F887B76999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119210Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:13.137{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E5B57C906390CF6CD577C5E9E89FBF,SHA256=377D49062CAF82B57816921B3F85A310E981CEE559CC0A1634D65E4CC46B2011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160684Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160683Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160682Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27086112C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160681Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2a2f91|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000160680Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2ca252|C:\Windows\System32\windows.storage.dll+cb155|C:\Windows\System32\windows.storage.dll+74066|C:\Windows\System32\windows.storage.dll+2a2ef3|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x8000000000000000160679Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c6b73|C:\Windows\System32\windows.storage.dll+c62e1|C:\Windows\System32\windows.storage.dll+c61f5|C:\Windows\System32\windows.storage.dll+c618e|C:\Windows\System32\windows.storage.dll+11c559|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x8000000000000000160678Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+11c3d0|C:\Windows\System32\windows.storage.dll+11c327|C:\Windows\System32\windows.storage.dll+11c4f7|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x8000000000000000160677Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+61155|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000160676Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+61129|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x8000000000000000160675Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+1a2b29|C:\Windows\System32\windows.storage.dll+1a2985|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160674Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160673Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160672Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160671Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160670Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000160669Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.315{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\mal.bat@2021-11-12_085210MD5=91965C4AC436447F1D64B3597D5A453C,SHA256=072E76295074037B713D9A86D1DC043CCB501E62A5D5CEA96C72D4AE2A8E45C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160668Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160667Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160666Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 13241300x8000000000000000119212Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:52:14.512{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a2-0x96c89fd4) 23542300x8000000000000000119211Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.152{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3DCE35F8AC6D07D09D4731A935A732,SHA256=E47E7D3FECC7E6880F096BFDD506B3BF24B77851EA2A05A4B14D01943477915D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160692Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160691Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160690Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160689Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160688Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160687Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160686Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119213Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:15.152{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D858F512EDCB2D6284510A7092DE491D,SHA256=52A91172B2AAAE64BABF3367787DF1F7AD4DDE1624B2D7D5B8402CEF8648B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160695Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:15.699{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-032MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160694Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:15.029{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F3104B4F8AB23A6EE67D84A72E7218,SHA256=A959860F2612D3D12F859196EBA8433ECD78EBE9B15B04BE89D5638B93BBEA46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160693Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.283{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119218Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:16.324{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119217Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:16.168{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64547307594B300E8EC15A0117B0418E,SHA256=2A5E95B6A1FFFE2D89F201C967B03A251C8C8964A1A25EF97A31F73F4D451172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160706Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.797{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160705Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160704Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160703Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160702Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160701Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160700Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160699Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.757{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160698Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.715{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160697Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.063{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7169EF05F48C3AFD81087206866D1A,SHA256=81CEF6A9066A0308694CAD25AB2BC2AF37AFD5B95CD86FC687219818048013DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119216Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.043{147D18E0-233C-618E-1000-000000000702}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local123ntpfalse40.119.148.38-123ntp 354300x8000000000000000119215Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.043{147D18E0-233C-618E-1000-000000000702}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 354300x8000000000000000119214Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:13.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160696Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.517{189417FC-233F-618E-1100-000000000602}508C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-362.attackrange.local123ntpfalse10.0.1.15WIN-HOST-29123ntp 10341000x8000000000000000119232Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119231Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119230Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119229Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119228Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119227Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119226Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119225Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119224Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119223Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119222Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119221Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119220Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.794{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119219Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E39856FCAD7DC6B4DBF6B7321E4081,SHA256=5FD7569324444F1CA469033AB5E4CA15DC3D2410AE954458C5AC7308C1F1AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160709Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.913{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15272840CF4483054A93CD2F2946A06D,SHA256=A1A1EAFA6232191660ECA1BE89E58D953186813F90925D6AD3348840A7AF02E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160708Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.913{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283992E99BA39E68D3B6BAC912BA518F,SHA256=8725C08DF7EC461FA1E99D5D8DE03E3DE11679292B852F12BF509B0C883F06DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160707Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.081{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD47D88DCC7809B478708F56BB674C,SHA256=E407DFEE2C418888FAFBC7D3FA02C74B9AD52FFFB581846E0A8C1B37F40C33FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160719Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160718Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160717Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160716Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160715Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160714Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-2975-618E-5601-000000000602}19043208C:\Windows\system32\sihost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160713Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160712Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160711Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160710Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.145{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E868E4DCD7971BDCBCE4F4C608DDDD48,SHA256=C278880BB84E6672F85B96C8BD286B90BD3E850D08A47A25259F5A8D74C9E8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119247Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119246Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119245Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119244Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119243Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119242Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119241Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119240Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119239Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119238Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119237Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119236Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119235Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.544{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119234Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:15.856{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119233Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB552B5D435A539C7E61896DAE63E4B,SHA256=B3A0B48F5565B287745269AD257F8A171C595BD5BFEB4389493B5DCB8542F768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160720Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:19.214{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E3DABBA385646B4B32912E2792CC2A,SHA256=B00D4C0A56FD78261871AF9B7900A9C25F0175CB8587892CDF196C2A6D15954D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119264Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.387{147D18E0-2B43-618E-7F01-000000000702}3028828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119263Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119262Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119261Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119260Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119259Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119258Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119257Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119256Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119255Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119254Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119253Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119252Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119251Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.201{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119250Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF6474E1FDF86AFD085E7B2EB7F2BBB,SHA256=0A550C7003B8FC52A5E66CC758231C6103E4E357C27F7B4D24DDC813842B2991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119249Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30F6766F960BF44C713165B7297400F,SHA256=DA2F51DDC25FB18CB5FFD183AC1F187AD6D7E5318BB295B30BCD4824FFE81F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119248Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF39C7A758B68B33D0409E62B1187115,SHA256=15A23EC1D757CD502D9034A1C2296CAEBFE04E3BECE6DE5E22475B05E1A25274,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160722Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.204{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160721Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:20.214{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783B45C023E3F9417FC6C62B4BA93C0C,SHA256=06A236FE2B02177325EC9B395BBC8FDEF0FACDFC849458E2A1628FB472D877E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119266Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:20.355{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30F6766F960BF44C713165B7297400F,SHA256=DA2F51DDC25FB18CB5FFD183AC1F187AD6D7E5318BB295B30BCD4824FFE81F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119265Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:20.199{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92790D8E25143B55C5EC59225DAD7982,SHA256=12496279443B7255E7714CD49623940E0C86470965565D9568233122AD3B2E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160724Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:21.798{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=0828499BD7A6B1C7F482E7BB9D127D89,SHA256=E837E869F6D615F444B5C59DE8B88BAAF1DBF8192BD85404769997D653ADEA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160723Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:21.282{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0B3490B168FDB3A024A423EB09A832,SHA256=692A676362E1B38CBA330361B779B4A2DCC2D95AF9EC1FE8FB0776C34CA2A0E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119294Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119293Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119292Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119291Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119290Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119289Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119288Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119287Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119286Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119285Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119284Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119283Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119282Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119281Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.308{147D18E0-2B45-618E-8001-000000000702}20402464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119280Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.215{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EFEAE916257FCD38AD30B5C2AF3550,SHA256=E388EBF7739A9300F509FF5C3E2AB2B3FC32AE85AD8BCC62CAE88C878FCB018B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119279Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119278Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119277Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119276Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119275Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119274Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119273Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119272Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119271Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119270Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119269Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119268Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119267Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.137{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160725Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:22.481{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234EA363F496BA149C32FDED42D50540,SHA256=303AA12EF8A2F5EBC6EBE7C0F5B6CD67F1DE134BF821EA75252CA17AF4D65682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119312Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.511{147D18E0-2B46-618E-8201-000000000702}13243128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119311Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119310Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119309Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119308Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119307Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119306Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119305Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119304Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119303Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119302Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119301Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119300Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119299Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119298Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119297Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.215{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0037BABFBA444533756EFCEF57FBE1,SHA256=0521CCFD7BC2AADDF5FA53DE4AA9431506A3D7A503D7494442D287C1B2B68CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119296Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.168{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4807FADF5B78D961537DC2A91BF9B6F6,SHA256=4E06053EC48B7F6E1BF5A371D5F08B23B5034F66FA25866C53BB4645D0DB2700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119295Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.074{147D18E0-2B45-618E-8101-000000000702}13841800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160727Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.512{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4AA56795C9DC81276F1A381091D870,SHA256=51FED04106516C190E2DF485198AC127C70D6D8D48A5E317E3A4DD0AF480D13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119314Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:23.590{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=054ECA5F39964D9463E0AFAA3F55B57D,SHA256=CB47CE0529D8741D365104608034B704B51FCA04166B17C6187B4C6883E4529B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119313Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:23.230{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EA18E0194B20FA4B2AF45A74F3C1CC,SHA256=C99793B0E739D2A3FC516DF6B652BE8C4F1F8C6A224A727FB4E361CD45DA1C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160726Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.481{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160729Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:24.762{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A202383B5C0113D9A43C8336B66B4BA3,SHA256=00D5D320AF8573F0177BC3514236F984CAB76B5D8B7FC78F853B4AA03CF0FF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119328Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119327Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119326Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119325Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119324Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119323Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119322Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119321Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119320Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119319Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119318Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119317Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119316Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.262{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119315Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.246{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AECF97C7CC0E8649B42B734EA758839,SHA256=A8AB5BEA009D7A5A1F318D3368FED2DF9883FFE2655A90EC24BC29BA3C59D386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160728Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:24.061{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160731Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:25.895{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ED3D576CBBF79B1658B1B783FDB28F,SHA256=14AF6A1B284F1D0C46DABE671A0C6B375E31AEFF6B0A013A6835F6B2FD112E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119330Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540A2DA8C4EB01B7CEE85087EA287329,SHA256=3E8BCE5B99C9670C94D379A9276A302BBF566737B96522B9B2A40A029C968D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119329Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.261{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0707DFF26D9A8215F52551088DB33957,SHA256=EB12B5F37A88B5031ED4459A3824ECA29DD99C6EC6EABDEDD4050C1395965BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160730Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:22.484{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000160734Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:26.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F74C3B2D449EB7CEF31DA1A4D847EA,SHA256=8E78E112497E2FEC9F8F0157D7D4F4C18391E1FBF9630C9C771FFE3B71CBE603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119331Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:26.261{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760CFD923D453A8EB7E4E3C61653D17,SHA256=5D4F0AB056E5C5DDCA7B697687EF2E4034061E6357A9CB58869A98487B487FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160733Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:26.810{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=B10DC0E482DD3DC2F25068583321C9CD,SHA256=18D80E2989010A1F6481C4C6257EFB9C7DC0A3F6E1266DEA251FDA81F334D87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160732Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.264{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58762-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160735Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:27.961{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852A882FA122B44B1A8518C95230C15D,SHA256=AFF65C5F2AA7F8B244A8E29496166B2DD71E3B98C67E0BBF0699C5187F503C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119333Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.700{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119332Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:27.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC5730E1EEE3BC88FA0670865D663EE,SHA256=33B3A5CF897ADF74E17573ABEE314E73E57E4B1365DB1948DC764BDAE17EDEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160736Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:28.977{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A1208F51DEDC26AF55DC0EC08B609,SHA256=063566C5A6660C93E69BFB93AA706902F744B41012207D1B5A2421EC34A4C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119334Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:28.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDB09CEE6DB25EB89859A6737ABC647,SHA256=2FF8DAEDD78EC2BDEC8D8C06C4C33BCED4E45E1A9B8C563E0EB69935B6EC9C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160737Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:29.977{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAFE7F8D0BBE35026BD526FACE52AAB,SHA256=20EF804A37A7DDCBA6842AEFB8DFF986D710491F1F3A868CA54620562E4510A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119335Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:29.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80F9E377921EE9975E8216C8B018F19,SHA256=A848B474670F340E0512530FA907F77B342E5F82F970588A292E5B879B7D1BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119336Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:30.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E5FA59D9BBC3EA1E9600ABAC92E6FA,SHA256=17FA7BBAEBE89CF9A40D933B68117ACA3D17B384AD4FAE48D70344B369ACC2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119337Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:31.308{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FB04AF9E6541283D41FEBC69D62703,SHA256=209EDF4582C2809876D5B8554C0F131637A1ACEA7B3A6E6D7D50DA2349564F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160738Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:31.024{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC688DB0D5AFD17A5F72A722186E173,SHA256=1930DA3A1C4BE4ED68A66FD2C7385EE2443933E3BACAD54241FBFD6085B3E757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119338Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:32.324{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADC5C33CE74791AC5C90EDCBDD0FF25,SHA256=EB90327BC30034E2E5820FAF669FD73381B2BCB09C491541B7AFC69A9AB89FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160740Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:29.130{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160739Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:32.039{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD48D0C7D64E94B81E28233B1E3A0F2C,SHA256=C554C0F7D59FC60088CF97FC6B93804136AAD5426B346990B1B150749A1297F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119340Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:31.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119339Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:33.339{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE07EB2850529AC28F60CE134A9763C,SHA256=39627C9562DCF7E83CE4B7348FB874D8FDF336430302429C53936D0E44A841C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160744Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160743Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160742Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160741Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADD52F82BFE71621648F38323E3A1BB,SHA256=7BBFC6C079DF461BAF22A9DC3A02399E86379B7F15C7951E7C88FD73F7B31C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119341Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:34.355{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51766F626F3BE46FD2F4125FA41225F7,SHA256=5E96DCDDD613D3CACF05A419FCA0DF864D3D59D977807FF9F309CA4A447F4C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:34.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE94B668080A6BBEF4719B89AAD26748,SHA256=D6A05F3789024822A05E4F822AFC6A270CBB705048C7BC98049B53D7BA4BB3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119342Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:35.511{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE6643431395073E6C4FC281672EFDE,SHA256=96425945C5D09CA7FAC53C9469416700B164426CE23C2170DA95BD4516CC6DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:35.175{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2A4CDE4C28D28D6C7F669464A69D6,SHA256=2934C87058F3BEA23588B0FE97EA7605EEC5CE14E362616981E39D4938C1D375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119343Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:36.527{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED0D8A7276193204C715D9DD303FD4D,SHA256=76F1A25BE632CD99539A9399FFAD704A15F1CFCACD18876EA7B5B5D9FF4A4EBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.980{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.176{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC713F49F7CAF7E0268C87E6DFA6783,SHA256=2C5EF9DB76F0E33C6DE9EE6C385DEF7BB37ED98250528FC03DA536FD536F31CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119344Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:37.652{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4D1E94EA6BEE1ABDF71CBA287B29C4,SHA256=A209FA533F41489AE9003FAB2B4630CD3C5A955B97EE63192922C0E8B044FF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.961{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15206613C7710D746E17E2F4FA544972,SHA256=541C5D0D96F6730E7F446FEC516CF3B4A85AFAFCE8AFEEF3DDAE0F61C5345B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.960{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15272840CF4483054A93CD2F2946A06D,SHA256=A1A1EAFA6232191660ECA1BE89E58D953186813F90925D6AD3348840A7AF02E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.441{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.209{189417FC-2B54-618E-BC01-000000000602}58525480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72ABBF83C8D5825523ADDB6F8C375AC,SHA256=EE3E72F6D6B4D1C7FF44039C17E85384B3B1A70403DD43C553DDE4AFA891F050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119345Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:38.683{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6332927C79F1E8EBA487306E42189C34,SHA256=1EF44BDCE82D9046A11D5A9A8986B31DBB0A95C302F4A4F3912DDE95BE9931AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:35.060{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1CD48788B7E47FFC6565561E2AA57,SHA256=FD2C1D7B1BD0451BCDF4E18E95F76299261C96010E8F70D6C2789BAF4D751526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.060{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.058{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.056{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.056{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119346Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:39.870{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7B589DD578B3D94B3F3461B33EA4E2,SHA256=4347CAB1701EE00BE51145CAB43B6B1EB83628ACF6FB30F673E42C6F7C7F6887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.862{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58765-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.862{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58765-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000160783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:39.224{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C785CF64F9D05A875D136C130D1F870,SHA256=0B30BC3EB7FCB6F04C294190C4BD6A60887ABFD3D284009DB6C00FDA707D58ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:39.092{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15206613C7710D746E17E2F4FA544972,SHA256=541C5D0D96F6730E7F446FEC516CF3B4A85AFAFCE8AFEEF3DDAE0F61C5345B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119347Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:40.964{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4F6DDEBEDB69774FC00B4329A0F478,SHA256=999D1A2DB28E56217DA0C006CF40BA5975B40F3B081FDD9B6F6DDDE1B178F924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.623{189417FC-2B58-618E-BF01-000000000602}58444904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.377{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.258{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AA6F2A339BF699C090275DF114B1F9,SHA256=92FA9E6B2F7A91D2FE084A7464BDDF5BD830274B33BA437FDC4072B9223155D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.901{189417FC-2B59-618E-C101-000000000602}60485592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.625{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.407{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCF1F764F54C5C55E4F8B468C02B65,SHA256=11EA8DCD546CBE64B38E1B76FDABCA9E48B2229C1F57B259A10B8002215601F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.392{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F811F31FD3C47B8713265ED31F2C9D2D,SHA256=E37F69CBAC16730943A037417B0A0F31539927EE785A695462B3318AA50740BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119348Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:37.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.291{189417FC-2B59-618E-C001-000000000602}32605412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.057{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.056{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.056{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.054{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:42.630{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB8F40B3744AAD24B77CFC21E58C69D,SHA256=CB44F30E795D4FD782942948F5975A03541896D534B83591CBC0021DCA6B288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:42.393{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2C49C5DF86CBEA5385EB2AEF460177,SHA256=C4151AC1C6BBA01ADFBDF3321C5931FE1BB984A85CFB3FFF59075DEC84B1FE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119349Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:42.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017BBF43E9491A95C085FC38283B647E,SHA256=EA992D1C43496BFF2291D641FB163A60178793D060C3629270E57601C9E966E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.198{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.414{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD9251627ADA34327D66039DC7C675F,SHA256=193D2CEB4551072A3DE4F311023840B707A34A88A0DDD7C529D0DDD84A6C03A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119350Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:43.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FED2C944428B8EEC7A9C0D0805C1218,SHA256=9B2860A1BB09681E0D67EA74BBD5350D800979823C09C786BC7988443454A1D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.377{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:44.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48008C8D87D08AA9E64BDC0464697C8C,SHA256=21A5E48436B628B0BDA88159A061AB502FB7D417E6A85763B85667A531FC96C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119351Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:44.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682111C5FA729B3378CE8D35BACCA48E,SHA256=83AD7EFF255358A7DF7303E67E8D72AC7A3FEF0B10BCF6BF18ADDA42D7F3DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:44.377{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D8A4EAD5D1088FDA4E6F8C198F35D8B,SHA256=142D8B3CA330BE5A1950CC2DF369D15C76C173946B4FF4127B4FDFD87B647D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279FF8991E085B2805D4C4F489B8816E,SHA256=513BE33B251370B9AF2AAB49F972E4A0384E4D6E92315E2943736282E4BB2597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119353Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:43.700{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119352Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:45.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3143F3CB0DD4241FE59D72D4948A73BD,SHA256=20D1B889883E63B797E71992ABD94501A25AFF1CF9D3CD5B9582162D6AA84769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.592{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7081358609F71F4DC9A9B94FAB6D995,SHA256=6DA0BEC4B9B011086DA9C25630D8D91CEE24131EF4777906D38862547838AEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119354Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:46.245{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100D188DF87665AD6B13A70C105E35A,SHA256=E8D96136EBE1331037220D0442BB9174C0803C991CBCFE461CAFA20467E8CAE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.563{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:47.613{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2DA99A0E57AA6E6DAB0B5537948528,SHA256=6DDD595B26F9F5C739713C67D852CB72BCB04FD4B5EA433EF3296A552A9986AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119355Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:47.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FE52D1C10523F53CF13D13D295D143,SHA256=0FCD634E97FABB2E0F0587D7C5FFD87E311C5C9E70A7D438C54D01F5DE831EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:47.594{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FDB7B2A161F18D997E692E54342FC00,SHA256=176636A12CD8D0FB3B16C1E7A7150F6755E296922C695C3BDD2FF145A792F8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.677{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE70240F4131D8FA7FB5D40BDF6BCDB,SHA256=D419BA6E6F88EDD16CD888195843F9B059455CCFAD25695062BB5374B809C76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119356Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:48.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7051944BDD0EE275761C746CD0C490DB,SHA256=F2A248E32504985BEBBD2903B478AA7CEF78691BE0400614E78D97072BEF9B01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.115{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:49.694{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2244519B7A5482A0C1E771FCC606A0,SHA256=F68D45FA1AB3EFFCC5514F59ABA2C891D026832B58180485A4DE5F0C835D6622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119357Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:49.354{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FD7324119A0B7D10619D0402A1F904,SHA256=F69F3F171AF7EF612763DB719B3C57810186A817EDF0A9DAF5F9C6FF13FF7C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:50.747{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF63C01520083FA6BF9A093DDC52D0,SHA256=7C414F7D5DC65E2C079007CDBD5B600D820619A23E8ACD11C4E1DBE364541EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119358Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:50.386{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9915EF05D96052B6D52FCFD868CCAE8,SHA256=864EC7936737CDE79735145CD558B49E2C16544660D0400CA4D5C9EE59CB4E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:51.778{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B840B4ADF9C2EEC1A03809E55E1DBF,SHA256=E676EC5872F2C3E3BF01B8AC1EA865C95C867346299E3776DD1F3D3014A8E998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119360Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:49.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119359Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:51.386{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CA034CF8E1076C09F8D64DD9BF7DF2,SHA256=26F8C86C11B38099A18F95E7E33C965D3D39A4905A5700D95A38499571F5C641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:52.976{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2474E000257B58F88EBE4136BF9D5B5,SHA256=0F7AC93624BC3DF3844754BA818DC4352C367E6552BED787242335DA0ECFFDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119361Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:52.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4966CBE0294EC5CC15FA3704C5F3C599,SHA256=C520C6284D2FF687CF4B0E1B32A3FDCA2EB94D3C958D01FBD6E16F798A79622E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:53.991{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC751E76C6FB3EC129AAAB58F0124440,SHA256=086973A95055F6BBC0702D2C92BD7C4541A1D1D2A803940DB911BE360B44F97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119362Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:53.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F396D9CB19B61744D3E639674D1BC1,SHA256=3FC4A2A0B3E88343EFF311B49BCF4E3262ED6ED5403055885A421B7A69282E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119363Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:54.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B8704B7A93DCC3C9B0BE4C5CD736CF,SHA256=FACD407485CB6B5049544920BDCB27E1CDE9C2A2A0453CD7C784E9130BF9FCBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:52.051{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:54.160{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\mal.bat@2021-11-12_085252MD5=9EBF44FE8CDA3B0C695F6F4CB27F48DC,SHA256=00780BF6EB126E7AE25A5E5A86E19F46CF20E238B1B06C358DA8B64C6647C260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119364Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:55.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C7130C7FC2CDB2790F3F07F727A3CC,SHA256=DF88BA3032C2F520DBB4377868EB19A3AC5F1E79A3ADA5C9C0BD73E144967D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.028{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C365481F4DD9B46BA5931D93B3774A6F,SHA256=3F742DD846131842B763BB6D72388155F7A787C36AA9F4A83DA3EC814BB7799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119365Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:56.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9457AF24F13AD7D4EB8E65C32F1B5B08,SHA256=F4CD522BA298B5155F3D30A4620E310329579B2CCBA232F1D574688142EBE5C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.143{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.136{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68CF1B55174D89AAA80E6749BE54DB,SHA256=2F440EF96CAB50577F6A98EC23DE01AD68CCEBD705A3F36010F92007DF556EDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119367Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:55.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119366Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:57.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280A7B8DBA5B633F648AE1A2BBE3CDFA,SHA256=FC4F87FC938EC0FC3D569AE7B235E5E2CB16F77A499F03A39716767F9F2322BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.190{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35740A506253E610D9E1D7EE9FCCE3D,SHA256=BF18F8A258A661211795A6A333013F133CB98A24B8376CC98963ED196FEC3D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.190{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F285663FFEE452486839351A94ADB466,SHA256=693938537DE46DD1DFEBB44F6850B9A3CBC164C339ED1A4B4ADA0BB6C3FF6A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.111{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B08DF68BE5A111DFAD56FC20389ED2,SHA256=A92BAD83589002D7850EDD95A011FC583D44D21474D7523FEB4A4F6FCC431E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119369Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:58.530{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-033MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119368Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:58.513{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B045359C9AF2B4D6121AF362B9F11C9A,SHA256=060020EB97BA3A8CB8E83E78C349D61EF0CE9B6E208EDD70CD475FFCB837EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:58.126{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7725546C063F233D7976B76940A44F38,SHA256=CC0CA3CF32FCDAEF41AF3922C697F7F87C4328CB85EB96D6A8964846E426A196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119371Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:59.545{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119370Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:59.528{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAACA988FB43B789FAA8CA5DC67C87F,SHA256=ED8072FAF59ED680FCB9C2227692E90AB90B78ED18DAA0E5DDD2742700926329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.149{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:59.158{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B45AB695EDA47B5BB5335247524008,SHA256=A96FA2A580E78CB0539B1A9D7CFF1776B0036C567635819ECA9F7A195B531A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:00.361{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816206D467B3F3084522BF178E0F98F0,SHA256=2DCF67DA722CEF34156018F65346C00462B13D0FFD45EC4FEF049466A75BB564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119372Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:00.529{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEM