23542300x8000000000000000158755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.893{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C09D4B7A1639D01ACD3D0BC82028D2C,SHA256=F15B41B9C28EDE779D089759CC1A9E1A91CB483BE47C26DEFF310C5CFEECE744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.721{189417FC-29F0-618E-8001-000000000602}45404532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.176{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46013E6C085E71B3036C35FFEEAA644A,SHA256=3B587B45ADA4898FE0B30B14D4E56B8719476A20A91A58841921127F8A90161F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.330{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:40.331{189417FC-29F0-618E-8001-000000000602}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000158745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:37.107{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04083943DF38A63C1AE6C010B9AB539D,SHA256=EF62D41136DAFA57518876F802EDDB461BA5E359942B40048D3836021C878751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:41.189{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D29666B8A3F68FF2AB66CFE34157AF,SHA256=6BCA29629F14E70B44C2CA621623AD741626B4839AE604900B4F678DBAEA7442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.596{189417FC-29F1-618E-8101-000000000602}48444900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000158764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.361{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D7AC5B60226DE304692754B2B9D6D5,SHA256=0BAA9D32B23430C4E3D892FC267CDA0973265EDF67EBFD70539AD604C15CE077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:41.221{189417FC-29F1-618E-8101-000000000602}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B7337C6FF31E9F90BFCED50185F057,SHA256=8E388FB6D3553E672A060366DE03D4E4050E74108F97B1085EE1C7044989A60C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:40.716{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:42.204{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4DC017A56E0777BF96B6779001EE72,SHA256=FD85C13A074DE23424C6D38DE81C5D9208B95B52F7E7F1A3CEC7F44B00A99ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.314{189417FC-29F2-618E-8201-000000000602}41964216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.111{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.112{189417FC-29F2-618E-8201-000000000602}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:43.220{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DCACF56BAF909DA5C72BC0F46DE66A,SHA256=8D9BA50C21175B3B5FCC2401DB626666E5798145A232DC7256F3F941B7197F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.549{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.550{189417FC-29F3-618E-8301-000000000602}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:43.127{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD14CE93BC31CB6AB4A68E68B2976BF,SHA256=C7499DBDE8388BB09E1F08CFC0F0A9C2A011C23FD897A6FCF72E326973521F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:44.236{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DAE5667872B16439E17A553C0FA06,SHA256=6513C9C2465A50DBCB43C97B0107304AC79605BA98E9F2FEFBA6CFAE83BCBB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.564{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069159AB98AB67AA14058844A965D621,SHA256=EE0018F0DD431FDD50B6299550927E0605E00241C836D4C720135EE9B23B5257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:44.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E6DA13DA0B8972DB9C5E9ECFDAB79,SHA256=19AA2147AF45F771A88929A11F46547950F03371D0FB4371BEE138EEFA551A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:45.251{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA441589288ACDF67ADA6B35C8C2B2A,SHA256=9356C61404A42F87680C6076A237A694BF83B9F747B159521CEE1A43EC6F9B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:42.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:45.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A95CA67F60168D3632ABC3F82E6CD7,SHA256=309368AF10A80422B3CFD3A5535BF862A9F4A8D07E2E375F8F0FFE4B4E96396D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F690F06715942332FD0C54A336D68FEB,SHA256=43B0AE108D4916892BA700970D3E5CC4B8446BE2ED864CDD5B68B4B9929F522F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:46.299{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B3095638E172D11A114FAA3942158B,SHA256=2BB4D62E900EC15D1EDC55CE13C697F174EC2EF62940CD921D5432793377BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:47.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D7014806043833EAD3A99620B5EF9,SHA256=F5C0705CFFC47267CFFCA739ABD6C57A0090DD5ECB3764CE82B3A43DB9938C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:47.267{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84B0EFAA27A03E76D9A7932BB458528,SHA256=CD378013BF4952DEECA6D492BDE86200F2C52F1348028BBBD5F52D4783954C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.658{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4BBFD4BF9D8A5CAF9EDD23F0E19BD8,SHA256=E25A56B7AD9254A70A03DC0443428FE79305FFD6EB1F7ED31CC9A98D7BA6365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:48.283{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80D3DD0FFEC97FBCAC7F498F3419C51,SHA256=0B6565B8966EF4D603F821AACA623B02D2F17002A56F4D13EFAC3A133DFB7199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:49.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A42FDFA1DD4F982078E225DF2A07878,SHA256=00C4C5FFC83305152A554523C02F5555B272C977A81C69AF17F723EBD9800FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.397{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-027MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:49.285{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9329E8A8CF7F78971EDEC7B9761F9F3,SHA256=E4EB67F6BACD4E94A358168E9F20D467029594A8FC80C3512C916ABC08A5D5A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:46.575{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:50.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA286BCAF103709FC0ED13E5D44695E,SHA256=9CC794D50006D13D2C053BA671EDD25255A0BB3B8331942A1C11D35288482D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.398{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:50.287{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A221C3D8EA32735637411074E3C7DD83,SHA256=18AA8A53AD21270914EB21A40899A7E986770F07A9F49FE833D32E7142D83FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:48.154{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:51.674{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FC38A0F323691598CE4841978812A3,SHA256=6D0432C72AAFCA1129B5CD8590861BB257C01FFCFE9FC28A507EBD9F07B67D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.303{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D9CF0EE4B4927EFD42C02B66BEB54,SHA256=2876695E8C50A2BE7E067329D8A09B620703961F28D18461AE7746F3D00A523D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:52.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389B30515345DC9962B5D6DF085F384,SHA256=C8DA5D6F12639B8B5AD5AAFBAF9ABD64BA02FF9B5F645E935AFCB884237FD246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:52.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295CC0BC8E3BAA75F44A8F2798387CC0,SHA256=7EDDC7EB4B75C8E609B32AF354BF1545D6705A93A91F5909B418C41FAF2FB38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A864F22AAC98FFD298DC92D33D0C9,SHA256=4381142CE8E05A310013977C6673E01B8CD986684B22D425C2F412C7C5DB280D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:51.658{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:53.381{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10ED4D3A7CFE67818BF0D6169D8F494,SHA256=4DA4F803E6F607974EE26F30AF720FFED5468C31D3922ED4F225D5692CF234C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:54.830{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E181CF2E707F7F6BD08CC000F2C6AE85,SHA256=3F9813A59EA2B31E3990C6DABF2D7D1F0F61CB26CEC3CA67D54C16A053A1D89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:54.412{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722249F40A509514F84758E0EB741A2,SHA256=87EE78B1EB0F1A242876A8AE15FA7730A58C477B5033526809E324EB35C6599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:55.521{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2949428E3B1983A1D8018BC9E3425,SHA256=2A4B1CA082B001F9764EFD606926E38268A7E714467D2EC52C786E3B4F16DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.537{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD0D4DC8EE8268874037F570AB29945,SHA256=080E91B5D72A551E0E7C9F85E6326EF2414D98C8E4D281A2A3766E96D2E0FA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:53.248{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:56.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8459A5408D9EB99A689208524A178B,SHA256=885BF35FE5EB42502FD0E5B0B5D33BA8641716EB3E4153155838B3460335F3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:57.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5770218BB5DFC1AAE47518DF83F085,SHA256=E463F1B3E5D918A6261C351054BAC2B996F0323C6EFD85EBDC74DF501D6D129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:57.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3F349A228FD2615B2B2DA6E507D70,SHA256=964E6DF1EB0EF35C2C2747B28F7B6B230B2F3F855D97F3B0500845F6D5869E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:58.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF71C0D0426809423EFF9708AB0A2B3D,SHA256=BBDEAAA071251B1D1452B3BB5C3A7EFDE4A45FF7FE5B892EB34D66484A48EED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:58.252{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0420EB29E8C3D65684B31087643A905E,SHA256=9492D233C977B06CBC6266140D19866F3529CCE1A0D2691A0AD8EF12CD030EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:56.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:46:59.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882982284A0084C10960B15F90D74AEE,SHA256=0315B510E198B0E9BA80B6CB6B2E011B3811FFA01F4533E69BF1B535CC2C9C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.408{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F88D5C88B6D3B039B58943CA9C075C,SHA256=8F9D74813B80A6699650DED18560F8E40FB319D6F69ADF7BCB47CAF8DB1905FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:00.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF1CFF23BC2C9ACC565754FAC6FEA62,SHA256=FD2FDA56C87257B0C5CC2D4B5CB48F2F71ACA4BFA18B86237A73205481E5C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:00.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B118B8B4D450ED6DFBB54E8FD94720E6,SHA256=3F79A8753580E5B91587419A79530937E72ACEE89BEBFEAC0B19D568B3796D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:01.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B41450EC585EDA115E2FC3D2F18E9C,SHA256=4CE686CA4B36B2A09DCA60E0B000FF2D2860E25469F0A0DBCE1FAA804F36A366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:01.705{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940073731243303C1E7CEF4F2FEA3DF5,SHA256=4150A29CC4E49193BA8E1F8023B0A2634563FF3E50E7BC1000899CF0B702F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:02.721{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA3F2CB79EE30582EAE52D7BE4191CC,SHA256=86670F512D6128A6A3CE359A09147E8BD130BD3239FE57880D03528EDF4ADE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6E9B2757DF0349F020E783A84B8753,SHA256=50D96333B8CD5E977F39572EAD04739709035FF1F806EC872A7E47C517636F31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:46:59.201{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:03.752{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724E389D7E138304F26AA57E6B1EE6ED,SHA256=B59F55DB08BBF4325045363C3214EB7AE9FF163D49D276DF8360458F26596C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:03.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B590D3BB10A5BFC2FA699F079118DA,SHA256=97BBD55392AED134485D30FD9DCD45DF88763A243EA7FD5F3C1EF563C4154B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:04.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D198158D27A4C5BBFE83E9D8511238D6,SHA256=E1CBA06974F9109B759817E77875C2BAEC1E6278681842F78FD5A8511A962600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7375F7D161EDC2641943E87DD07B0E31,SHA256=226CE879C01E00FD0C79EDEE3489A82881ABEBF5BC59E76FCA2C4F87DE2D4B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC494B9FAACCA3EE92A7E372F7DB70C5,SHA256=3970B6633F5FF66EE10C3B76375FFF08DB2674304F55C2101EC461E7A10A04A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:05.799{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02A288D1AFDB156FB015126D6FF81E1,SHA256=5CCE076C0412FE8318762CFF70CA355719D4D1F430415BC8760FA3C3D53F9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:05.615{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D92744A99524A0DA4F955BBFBE900218,SHA256=FA4B8EAA5B8D2C20209E0E7FBD0A5B7F753031BE2BE620DEE2072D3BD737BC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:02.582{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:06.924{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499D07D460A17A105CBBF6149533F4B,SHA256=66AB7C734E62FFF2C1A23E1D3CD59687576C46000E1E93154F27DDF16AD5E112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:07.957{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550B064E5229373377E4A5E727CA32FD,SHA256=5EF3D1A2250F005842D6AE61A955DB8D19FCFFC3C4E5E447696B522789612428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5303C019E4AAFAE8BFC90D7CD053899E,SHA256=398B60E0F2C6AA204D7B82EBFA53C656B790B6E709027F0D87BFFC26CFF29A9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:04.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.963{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394374F0504289857D565F7FCFE1C54,SHA256=6ECAD540124D21BA3002763F3E2C9CB059569820A9AA1CAFC9DEFBEDD89EE672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:08.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D87FD1A1C7C1D434A45A0AF21CB59B,SHA256=886B24E91C5E748CEA4E405FE83BC64A2C49DD2F18AA42D479702FE2500D5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.682{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F03897E78B201BB00D24920085B5676A,SHA256=9F9B897F26F788281FC84A2D57BF3FFFE86590424D7A2A88B0C4D30A4A8F6FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:08.040{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-027MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:09.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7386CFEF9DA09FA64BFC9E2B46D9D24,SHA256=F2AB7AE286DA4B7984247EBC2DA363D69592703F4FE64BA6ED6B4E496D4A179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:09.044{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.013{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6811B159643F776FE03C20C2023D0EF9,SHA256=99CBEBD331CEA87FA9E905304DFC87CEC44DF1C72D7209A1464023C7AA473481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:07.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:10.068{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2E85344D04BF1F33C9CD76F7F1C9F9,SHA256=E39164561902B788E64C49800F624F92BD72D63D3FAF8B11CC4D28742548E145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:11.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D6C9BB0B3E79A394DC3F3CF44E843C,SHA256=F8D6C7A0611C09182C755DDD726FDAB399580E54DC820062DF3BCE53468BF9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:11.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25871D9D393DB6DE4D45CF49F534C3E7,SHA256=F99199F77951B4D74663CDBC1C7FAF176567B40285C061AEECFCA8EFFB0422E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:12.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F6BB7B1B5D5F6D159D184182AACDD0,SHA256=B6CDC825277077ACD33449254E2BAA4BCE1A90C3F93D098F254A3D5FFFD6CC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:12.295{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39F8555D6AC07B8977EABE974FCB63D,SHA256=C1CC06F850472BC2FE2E3DC8504086BC557F67DB007A60E3C546AEA45BD5DAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:10.212{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:13.310{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBA193DDF4F0DE3A5C8A5DF5301B149,SHA256=9C411490AC1D55FEACB0C9572DB089C52B7C65529DE6D6819DCB497168DC2894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA03BEC8420BEA83FDF8550BEB37E35D,SHA256=E08DD1D9770C4D6FB2EFC771FA101A3FE217990E100BF79DE82CDC60F317FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:14.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959BBEE90D739DE94FB7AD17E2394242,SHA256=BE50AA074241690E8123B72222DC5AD26278EBE02CF5C805400EBF1ADD98F621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:14.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE6C7B55C9099B731D93F4D2101279,SHA256=7683DD17F35FE0027A399A48186192EC6C538441ABC7EA3B79FFDD3110A100D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.545{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51F611AEB15BE5143D2361EBECF90AB,SHA256=ED87D709316069B3B0A3ACDEBDCBDC6BE9289C26FEAE23E1795FEB2C9A28C160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.225{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B54C917C87DA047748489C91060C6F,SHA256=622747A97F97A57160E5C19138AAE2B7043A7174398072C03E7557FD051D025A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:16.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432A39449E5B025F785C8BBD2227B1D5,SHA256=3B52D3B0A9EDD866AE4C57ED3B7D51D73C837660C9F5D0A1CFC602441DF3DE71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:13.768{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7455D2954D89B521D6151E694B3861E7,SHA256=4D149E6A84B961B12E589A5F6070BDD46C2D61EA85F29E34A18DFE2E5573A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:16.225{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:17.685{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069AD00A5902586FA5307CC29B009527,SHA256=005E56E5337D2DDB671CF7D229E5556DF74734262BB638A5267939FB7902DC43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.803{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.804{147D18E0-2A15-618E-5A01-000000000702}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:17.490{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CFFDC481229174E9465E4EF1F53B40,SHA256=D8B9656721216F2752D806381CE1D8E9489DCD804FAE5DAC508740AA1475B1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:18.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20DA9CBAC1F34134A8C636EAB323A6,SHA256=E905CB753F75A76FF98CE44832F274642F84E9CA8A43ED264B362F0F035C8201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA8C81C8D6932EC4687914E32BB651D,SHA256=786EFE1144E6843AB47BF9497A9892158B5E2157D57263449F3D1E773D729153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.850{147D18E0-2A16-618E-5B01-000000000702}1880512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.662{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.663{147D18E0-2A16-618E-5B01-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:18.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EF42D228235BBE9A8FBEE3B782C656,SHA256=3401CE3C8AC0D92E71F27A53C38D06D6FAB2704609C8186C75F5F447B63F9CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:15.752{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000158828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:15.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:19.951{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8495BEF5B646C97FBEDD1E5B00943B8,SHA256=CC72B06B2D5C19128679BED4C1FC37B55B9512C29A06867075DE4BD562D15755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.334{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.335{147D18E0-2A17-618E-5C01-000000000702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE00CC9A65700322E389E84944BBAB0D,SHA256=414F89D85C4DB040C4F7C768BA94ED5492F399CEF64BF6CBBFC48AC4A4F6AA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:20.022{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D35531D7651B8836BCB71579AF50056,SHA256=3B5E3A38AEA11FEADD770C300F659DF1C315C4B8BA5B8A40EF840B6F0EE79C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.014{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC1D8213481E397DE45B2B379108BB5,SHA256=66B580B65227B28B9D145D0A47C0AB9DEAD28B8A442E3282178C893CAECDBC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.834{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.835{147D18E0-2A19-618E-5E01-000000000702}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:19.611{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.287{147D18E0-2A19-618E-5D01-000000000702}37083344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.131{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.132{147D18E0-2A19-618E-5D01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:21.115{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23067763B465BE50448412EE22873E56,SHA256=AB24A42C276A1C96FC90A046BB466F2326F7F527D2D8316B4CED9DD0846212B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.045{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA273DF45CDC62C8256649B69690097,SHA256=4243CB73B05A0E18E305F430A3C5DB306216B1E1DBB3760CAC04D26FCF7AD020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.662{147D18E0-2A1A-618E-5F01-000000000702}40602836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.506{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.507{147D18E0-2A1A-618E-5F01-000000000702}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085C81346A4B2F052113D9462B2966DB,SHA256=12C5E407645B20D0F219C6677589C2E7FC7A22CA112CDCD8231BFE83F0FFC4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.147{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E45C4030B0E21D1CCFB94247CB57C7B,SHA256=70716189DC2EC9468C65643F13C87C8D40F1970D962ED5DCA11CA0673D23CAD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:22.006{147D18E0-2A19-618E-5E01-000000000702}35523696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5BC9D6ED073268788AB918B9EE2900,SHA256=6C6F83C0B3A4C5F548518D488B4F20220A59D93BD151E81175534D9AC3D43C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:23.162{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3701E72CC84BAE6F4356F056E809481A,SHA256=D5CA088D41C6E9D943DC6FA17B655058900299D84D1E3A2E5B853F985031FA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:21.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.357{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:23.060{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BF83750CD7A04D87C3C9821FAA7EDC,SHA256=86FA242C76E5C333FE5875088D2E45A7361E188662D03D99D18477DCAFB066F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4426C9E49BF10A442D0807DA918514DC,SHA256=FC326811141A7AFD321034213B8C62401CAF3331AF9254766ED6A597BEC21EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:24.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC6F8D56BD61BBA11D1F68F7AB27A3F,SHA256=C02058A5F03137B549D9C057C346C862E2A53EDFD1DCBC2A76C50FBA46139BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.303{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.304{147D18E0-2A1C-618E-6001-000000000702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D89502B9B94D9D362A5AA5D969A477,SHA256=7546FA88CA7266B65DFF8B48DFFF1474EB415FE61F98D599D4A428427E0D05A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:25.365{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EFF8C144769E69AE2489FEDEF21FB8,SHA256=1EBF22CC0444D252B0F23FE8EA1345EC983095E70981EAD828037227866EFBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:22.369{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000158837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:25.139{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8EFD855E97FAE7ED1FEDE12A40B274,SHA256=E579C2621E495EFC4F80375CDB85D11B31DC453DB3E322192F6C72465111817F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:26.443{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A21A89ADCE572FCDE341DB8E3D34A,SHA256=2C2815B378B0CA7ED5E98479F941B8592B8876D5D935B068C892ADC9F00CEA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F5BECA95783182F346D117F0F2DEF7,SHA256=6D7D55A081C65CA1A4DE7DE1343595BE23286C876BC91D0B4EDF044866B3AD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:27.522{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C868B8AB00A8FA3408256A746A9036,SHA256=70CCDF391124355A9C8131C52A867217E3B295E90149AB2E5B0479F7B604589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:27.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81B9FE61CF4A93C6AF4BB18769817C,SHA256=48B895E8284E28D10A1EB809C07C7DB8A53149666FAE588643F05FCCE2107894,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:24.720{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:28.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B53F6283F56F7B2F8A86CA1213456C9,SHA256=4CF7C731BBE44ED2172537150DD8C5ACF2F7FC9F6E834E26AFDA1A40CB761281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:28.170{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40E0F34F3D7004CFF04EBBCA6807A7B,SHA256=E5E8626D170D0EE09249E87F4F8F7630C66A9794610B8AF6D1EF4B5463A3E2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:29.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C3BFD96BD424F6DA671476DC4EB547,SHA256=C66BE067FEA65495B1A52DC8288294BD95E33C72C911E0710F4FA7288ECFF28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:29.185{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E629280630ED0A434D12D522F56C8AE,SHA256=45B7C5B73A568024D7F9AC275990BFC9BDCDA410EF4BC944977280B07C47C2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:26.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.662{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D0DA09570979F9B15177540FD2DB80,SHA256=EB9773D49EFB947FA0BDC6B47408C3F4E2C2CF74F33A122C44C6B182B4B34427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:30.201{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211C54AAB9B8E216CE4BBC04953DB1D3,SHA256=7520FAC93D7A65EA47196556008329A4F427034735C4748E77A7C7C3E341851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:31.678{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1733F75EC590091C8B0EE5DCDC832A28,SHA256=43359E396515FE5B187C7D3B60B58963A5F9113EDBEF2DB8D1018D8B9180F9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E323E6D92087722802C4CA933BE9AB7B,SHA256=7736E822EDFDCAFA37276766F42CB9F0D6A256877475A136C1155CAA51E5972D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:32.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EE040934AF47E9E9E813F53EE255BB,SHA256=8817DC4039AFED2F771385F752D316F212993BEBD71BC48FBB8F8B7E4C7A220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:32.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D395328FBD5931DA1C94887A0FB76772,SHA256=30750198875509A5772671BA45C8E1367DDBD35DBE5FC47D8E10F8CD98BCC36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:33.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AC4C589060759E5E2A7613C08403DC,SHA256=82FB15876CE31DB38E6189C76E13ED80A00877452309BB90FD6815533587174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:33.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FF4692009EE83E9F3B6003448F9A32,SHA256=B64781796BAE9708509FD5860D565C9DF9DF396CCC3F07CD547F1FC53CECF80D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:30.595{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:34.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD948F51F83D5F8F3B98CEB5B31D726,SHA256=062CBE32E67DBE836B56AA951719DB3DD40100838121E28FA52E6358BA7E7BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:34.217{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F1EE8D145616E67C2B369CB72EA580,SHA256=C1921104E1F9E387CD932CBF8E279B83A42D9745D7F2D9F04123592B6FC5FC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:31.290{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.694{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BD909E30CA54BE37D72D02F161E15,SHA256=99C92FF0DD87496C90FFC10ECF40182F18D0EE60B14EAB25233A348C0E0F1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:35.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5864B7DC429C11F57AC67683C435514E,SHA256=3954AE3B7E18A282785773975804FDAB9FCAEA2173341ACB8515C7A824EE0D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:36.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD2CDFAD58937D7F5365149E2225DD6,SHA256=2B1A63937AC66CE943F7B498662CF1372B41D3BAB661C139C04500BA00B71705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.921{189417FC-2A28-618E-8401-000000000602}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D368699380D6A5A367E83301959175FF,SHA256=6C33FD55FD1C96B37AB93A71E6B23353DADD2D501232FBEF76A3B2C2FFEB423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:37.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FAC9BE3611911AC75933D6B4DFC2B50,SHA256=FE6BBAE7E8C358733D2428F3273F51E569AED3BBD520AE946CA331AD02233A3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.920{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.921{189417FC-2A29-618E-8601-000000000602}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000158869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.670{189417FC-2A29-618E-8501-000000000602}46441160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.420{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.421{189417FC-2A29-618E-8501-000000000602}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.232{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FDE827320010FEB1BE2E983D68695C,SHA256=E6A8FE1A3C61EDACA0E5D4866BACFCF13109567A699D40DABE3EB4A5448F7705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:38.740{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB08175BBC4CD69FC891CB3104A4CF4,SHA256=F16F300A4E620E11C9FBAE35B79C8CC74128A455F1EFD37D896016C0F7DE8AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.248{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9976734FA46DE5225B6CF358CACA4C7D,SHA256=A61F4617A008F52DFF04868D7E723DCD325481F8978607C1333B01C11DAF173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:38.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67BAB86E9BF7A3279C365F34B321A3AD,SHA256=490A26700725292D4E837B1D41C5B6AE6E05F50D31C201602D3EA803A1106B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:39.756{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1D91A7D61D05E2D385C0F18928EFED,SHA256=1FE92621C2DD17ED6EA76DBD2F75F13538B1CBE2F6ABB2A4D2C74F15F3428A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:37.119{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000158883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000158882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:36.822{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52818-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000158881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:39.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C92B81D446132F0EBCE3EE5094E6DF6,SHA256=394B0B9D133190E79EFEF5308943F1464BBECA59739007EC39CA853D2AE17FB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:35.674{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.834{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE6072B00C434C7B34F2F870881B6E9,SHA256=DCA2D76E810E9963574EF08DC15ED3BA1864733E69781AB758AD83DB42E53B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.529{189417FC-2A2C-618E-8701-000000000602}26243348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.326{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.327{189417FC-2A2C-618E-8701-000000000602}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.264{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F70EDC7DDF55E144B47544F4B2E658,SHA256=07C3243A3A74AC1E218E86A3DC2B5DA461A6CA422C95900C9A3966F5D122E790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:41.944{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF1DB58F4FB5B59672184D83A77DAED,SHA256=BCFDB60771A8BEF27D1C7C68A2E83AD898337C07A4C1A21337E0F6C8970C8A9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.670{189417FC-2A2D-618E-8901-000000000602}39281124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.514{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.515{189417FC-2A2D-618E-8901-000000000602}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.342{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADD1B137AE7406DCDE7B9CA4491C9A1,SHA256=F77292B59C40AD3C1F90FBF7FF6E99CCA18537FD14A4CBB464C21C4ED7D608FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BD280425EFEEB3188C8C3CBBDA457D,SHA256=A8E716EFE6D4C7B1B2A0C3E597ABFBD5DBEA5FDDDC8EF80437BC9A2165569374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:41.217{189417FC-2A2C-618E-8801-000000000602}50244552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.998{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:40.999{189417FC-2A2C-618E-8801-000000000602}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.733{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8F1B3BE3C2D4A62D299C5C5E81880B,SHA256=7EBE60C7FFFB1366E62BB56EDA48334847A13EBD75BAF5817C90BFE9C3ED66C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:42.279{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9C4B4E67A46487CE3A200268AD1F86,SHA256=D9E08341F4CA67F94DAFC1C43A9C94ABC4C298344938F82577945EE88226111B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:47:43.592{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf54d882b) 10341000x8000000000000000158925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.545{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.546{189417FC-2A2F-618E-8A01-000000000602}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000158917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.514{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EE1960E740D38C3EB32CC73B52244B,SHA256=18C55106C8F734D6D1DE3D682F2C1C9FB29E951C6F4BCBC6C71B3CC2B9ACCEF8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:43.319{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xf523d583) 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:43.069{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7E16710E0FE008E076ED947FC7EC5,SHA256=F23C51240EC1BBB8E8F032583CF34DDC326C302C4F9C1F7A954F7557D1EC92FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.717{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6777284CF8FDAE9D635F7F55A7380F59,SHA256=51563E58FB6C3A8D2A9499C42B4E4B57CF619F8BC31E4F3FA7C05A4F5A05D8B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:40.783{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:44.100{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CEB70549344E1AEDA9F818FBBD0097,SHA256=6CACA5866C2E00C5592A473EA7CA3F96809A1A0562CB113599747B642BC65884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:44.576{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6E4A0BA3F35BD170DBD5BDF6990899,SHA256=D34FF4564A1654C4EFCF5984BC22D2799267CFC2C25118B3FA1F987F3135D9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:45.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF6DE04CF01E597DA6001DD42D59470,SHA256=419669FC453DAB29FBAA51FD6EB66C35BA0020292B2982C7E3D544F5935B2973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:45.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563FD05EA51D9B8300853A2CBFEC3A8A,SHA256=FB61A56D1947D441CCC69FDE4C26BC9D4C564B2CE817C24FB5D1D80728C7192E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.334{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BD612768B5C0AD46D83B3C63C5F2DC,SHA256=4509786F4B77C0F508F36D49B499139C20E25AFE2621BC4E7AF29C9BCA2304B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:43.087{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:47.002{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B571B1339DD823955EFE76899BCBA2E5,SHA256=D4DC5419EAE339853CFEBAD32AD23DECB9A4CBA326BF3C807B27D2EC5E19B46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:47.428{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6F1C2AFF92457BA8B016233ED8437A,SHA256=4F2DAD100A82B9EB1C1F407C2348F36A635AFBF85977889EF4DDDB70BDFFF65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:48.444{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFABBE3E8B1D0C6AF50C6567D6DF3E3,SHA256=B7846A3013DF753BB5786315B1CA936DAD8B0FEC999CA98B1A10BF7A1CC11C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.596{189417FC-233D-618E-0B00-000000000602}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000158932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.237{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3CC45025A36D78B549EE8999F9AE77,SHA256=27B56A1739659EDA5A231D9E90134E1BE15980A32785E7B96C2870F10CA8E685,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:46.736{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:49.459{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9491CABA4EFB322B6B8A633FE3FE4565,SHA256=AFBE098A7F3868AB6AF142CFF9FE4B302BA722F782ED54340AC3B8076E350E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:49.284{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F370901C5C83CEA86F473BCD13984,SHA256=553F56915A4731553EAC87580D4C4762EB9D5CAECF49A29E8D071FD274BC5733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-028MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:50.695{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38BD480DA526C7E466E6D948033DE8,SHA256=52B20C3EF4A041B3AD2346A741A0FDBEB9F0CB1F7D4314EC8BB619B690218EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:48.150{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:50.315{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842A457089CBCF665F835D4F6285ACE2,SHA256=28E1A1F2E3371AFD0D05A978B4B96EDE856F181C6477529F903AF1941BD1855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.917{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:51.744{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273A0693D40629EC692DE728E6CA8A6,SHA256=8DF4BC7B658AC402662F81AB74E6D7D7EC64A93993BB0421DED1E58AFA184F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:51.409{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A4C975D9BC68CACA4F1A4BFED063FA,SHA256=1F7A80FF3547EBD105A10DA0A1D5D3C7F9BE7D6EB7FE877B97A7D75839FCE962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.760{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B140A75FEB9E5125E8FDD56EE92DD2F6,SHA256=22F3F1F5FEE60501E15FC99735EA2797810C4343775DFCF49A73B6E5B3992B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:52.424{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F93E71D1AC1DE80DB4AD6BB205FEC8C,SHA256=4124076FA560A470497F8702BF9C9FC744588EC80615C94AB234F129E108DD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:53.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B20DA38C47A8A1B8EADA18F3E685A,SHA256=3522B4087BC0F13D65C0904BC87B261E179DE37F18C3F0DC93144EADD51F59FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.440{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A99AB868AFF5E2F592153DD13DFF0B,SHA256=B30933430F2792FA43847D1E21D87F7714650DAB4ABB611FF41B968437E01F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:54.807{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F4DA1CBF0DC768A92A9C89D7789A9E,SHA256=94301B2B038AD58870FE0113CBF00D71F58F04E0F772612703C4F7966D87728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:54.456{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE6CF23CBCCD0591D1DA1B629FFF3DC,SHA256=982CE9C8D873EEB4072DAEEE82F603F6B9AB71909E93BF0D40A2AF951DE659EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:55.885{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45B264404D3D8814267C67D506C8FA6,SHA256=0F7EF4A15F8A386E2AD47A0CD2ECEA5F24C724FD9FD7E1CC8EFD61E720BC88FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:55.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1947B55D9CFF4D2417AB3E3CD2F58524,SHA256=1FF1DD1822A2549E631DE4F1B175C0FD2ED75C38755ABDF7ACB8691EC0E4F5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:52.615{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:56.901{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06D66A8C86AC5AF9787E22BECD4330B,SHA256=5BB21418E637882B9DF882F7F92C1EAE2376FA784C5180C66863BE0451088E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:56.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B90DCA7A39D6C1D7DCC4C56E283DC,SHA256=45524F1EB5B7EEEB0530E5461B02326FD6BC4E80B7751AE20226577BE757D1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:53.244{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.916{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCA40EA73E9816A899D2C38CF13EAD2,SHA256=6C83315357DC0FF719457C717468D1F11BE452BDA19AEA8F775A651EA6AB89B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:57.487{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022B3ACDA6B886A291CF236F6C0B725F,SHA256=365A0246F613D5E1ACF730452EC63E2C022BFE24403EB472F010B6C97D8F911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:58.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C30DBFA1185714180F9D7E12FBB8DB,SHA256=B273E77176FDBEABA31B1995EF33621E2288495ABBF5D518BD232B9C19DE13E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:58.503{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CABD5B8972A2D127B87CA7A7B050E0,SHA256=5863504DD481F34F07DEA8D07853ABEA7D256AFC6039C4D3C816708D66CAEC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:59.947{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FB5FEC5203A1A8FAEB8C587D1CE1B,SHA256=98FFAD7A9C02910B62BFDC94FED6E9B54415D1BF58DB39B929DB42524F8A786E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E26782D59DF55FB775C8B9F7768FF5,SHA256=CCAA52072DCA39E83BF52E9DB350FFA08BCB2BAD0080D02BE42356E62C6239DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:47:59.322{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a1-0xfeadd471) 23542300x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:00.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A80781EA5045650D77890B8CD49119,SHA256=FD0770ADF545CE9416BDDD31887008596A0BA911B7CE1259E73E7FFD57AB6AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:00.753{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0FC74CE043456BA0F9B90CAA9E31CA,SHA256=60598E8E1854ADA491F54963A847B7371249E28BEAC3395CA10BF1B0DD42E3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:47:57.771{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563D156A60407C28C84E10D7E64C68D4,SHA256=745EB84A8F822B2B7BE55171896A4C37C8E29526BBF0392FB5AEA365F7E8A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:01.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51911F1F0B18EDFEB3BD97590484ABEC,SHA256=A620C67AECF1533F2689D6B5AE71A37C78EB66813400108499766CC02DFB23BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000158949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.206{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000158948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:01.209{189417FC-2A41-618E-8B01-000000000602}3688C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:02.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D94158371D150FA742F3F559DFB9B,SHA256=DD9E55B0B6F0DC7C2907EDD642DD36F1B6A0D49C893A2CBE163A328391DE3255,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:47:59.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:02.221{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3528A095A552431D92B8B6FDD05F5F58,SHA256=B44B1320A117A138F350A7280A0398F8426521B0E8F0A98E09031A20D887E5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.978{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE1BE3EF939A9E0AD7B2774C46505D,SHA256=5803137ABA0779BB3A559800F8F5C3A95265AFAAF3BC6A25654A3274537DFE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.003{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E17BF7C0C3B847DA942706DF9AC07C,SHA256=9C415693171E40C58D57266B594453E4A1BF987D06382FE23D6471B34A37E185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F70D0EF5381C9B4EF4C75BDE5E3A4DA,SHA256=6731CB2FD401C6FDCD2D85CB7E4A6D9CB044F0A459ABD67AA3D8E1CECA1D4FF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\FlagsDWORD (0x00000002) 13241300x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\TtlDWORD (0x000004b0) 13241300x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentPriUpdateToIpBinary Data 13241300x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\SentUpdateToIpBinary Data 13241300x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\DnsServersBinary Data 13241300x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\HostAddrsBinary Data 13241300x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\PrimaryDomainNameattackrange.local 13241300x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\AdapterDomainName(Empty) 13241300x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\Hostnamewin-host-29 13241300x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.775{147D18E0-233C-618E-1400-000000000702}748C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{1AB7E4CC-7BF0-4F92-9B09-17BE30AB4E4E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseTerminatesTimeDWORD (0x618e3854) 13241300x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T2DWORD (0x618e3692) 13241300x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\T1DWORD (0x618e314c) 13241300x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseObtainedTimeDWORD (0x618e2a44) 13241300x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpServer10.0.1.1 13241300x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpIPAddress10.0.1.15 13241300x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:04.760{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1ab7e4cc-7bf0-4f92-9b09-17be30ab4e4e}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.049{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF79DA87E0A75F7405193EB382742EAD,SHA256=7BACF823785D6E2B5CCC33E5854B20AEFAF405B0757C4E4DA4A9F036FE4E4D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.619{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F4EFCD11DE585C27A7FCD90EE950D89,SHA256=5E9D1848F2CDDE9D1E28A63E4CA5E057A166D7970E86F72A90DCADA6ADEB74BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:05.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C586E5746062B8C3B57949ECF41C50,SHA256=AEC99EAB98CB8A89DBB82D88F5E53970D50C1479F2164DAFF1EF572CCA84885A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.503{189417FC-233D-618E-0B00-000000000602}640692C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000158965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.796{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2964796- 354300x8000000000000000158964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:03.794{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2958308- 23542300x8000000000000000158963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:06.065{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F08511017057A78F4CFB8A379E89718,SHA256=6A77BA9AFD5E95F5DCF713A783D821DA98A23E95D69A56F39D9957AFC0F9EC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9870:38cb:8c6:ffff-58485-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.320{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:424:c2dc:82cf:1fc7win-host-29.attackrange.local58485-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:04.302{147D18E0-233C-618E-1100-000000000702}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:03.740{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:06.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A4147EC74484C0C7066674C678C31C,SHA256=85F5C1C986BBD4E9F0EED4F3DD19F457A7B876B7354298920A9969D50FB018EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE9AE12ECE8A28EA1191BF43B52613,SHA256=AD74740D1B8D5A92AAD2E7A55D174628D8D358AA869164C1388359956218806F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:04.275{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local52824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000158967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.096{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26916DF6359C8A7702F5B9483078C239,SHA256=C8EF544DD081E28864D536ED52036A3DD5686E73D462057050CC9A1DC24AAD74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 13241300x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9027) 13241300x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xa156ccb5) 13241300x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x031b34b5) 13241300x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:48:07.119{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x64df9cb5) 23542300x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:07.025{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF1A4DFA4D98BDA21451241572B3923,SHA256=333C90E0530E4AA61B7D4670C9E5A424E6B66FAF9EFD902159BE4D73BF9A3605,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000158989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000158988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000158987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000158986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseTerminatesTimeDWORD (0x618e3858) 13241300x8000000000000000158985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T2DWORD (0x618e3696) 13241300x8000000000000000158984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\T1DWORD (0x618e3150) 13241300x8000000000000000158983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseObtainedTimeDWORD (0x618e2a48) 13241300x8000000000000000158982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\LeaseDWORD (0x00000e10) 13241300x8000000000000000158981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpServer10.0.1.1 13241300x8000000000000000158980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000158979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpIPAddress10.0.1.14 13241300x8000000000000000158978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:08.768{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4a100c7a-4ab5-40e6-8b70-116e5e5ab451}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000158977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.690{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54162E7168BB40034D3255BC719A12F9,SHA256=010F3776F1B20C3D4768BD5612EB0DC804F2D0D22984617ACC93908FBC922497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.596{189417FC-233F-618E-1600-000000000602}12524300C:\Windows\system32\svchost.exe{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000158974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.715{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2953853- 354300x8000000000000000158973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000158972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:05.526{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local52825-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 23542300x8000000000000000158971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:08.112{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE6D5AA358F450ADC31786200BBA883,SHA256=E718A9208F5E37F515ED65AE89C274C1C60F13DDC0D82FE7206364019C601D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:08.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077FE2786FD6EAD5369FACA54AAE6CD0,SHA256=A905BCEBA137EDB244581C3B789F2493633C8E4CB163D120BFB264DB92387740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.568{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-028MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000158990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.223{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9116A6722039160BC7645D89C332527D,SHA256=F2479C581423A236F19D26ED7FA16E05EB6813DBCB369C6EAB2966EE72E81CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.042{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6225E4B8866D962DEBDF808D523B902E,SHA256=908C6BF6D3D50C768C1BE66B241FC9E81A7D26052039398B4726D9A2340E7401,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000159010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000159009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000159008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000159007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\FlagsDWORD (0x00000002) 13241300x8000000000000000159006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\TtlDWORD (0x000004b0) 13241300x8000000000000000159005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentPriUpdateToIpBinary Data 13241300x8000000000000000159004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\SentUpdateToIpBinary Data 13241300x8000000000000000159003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\DnsServersBinary Data 13241300x8000000000000000159002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\HostAddrsBinary Data 13241300x8000000000000000159001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\PrimaryDomainNameattackrange.local 13241300x8000000000000000159000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\AdapterDomainName(Empty) 13241300x8000000000000000158999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.813{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\Hostnamewin-dc-362 10341000x8000000000000000158998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.798{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000158997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:10.798{189417FC-233F-618E-1400-000000000602}1112C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4A100C7A-4AB5-40E6-8B70-116E5E5AB451}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000158996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.583{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000158995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f860:2c00:ce0:ffff-63249-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000158994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.796{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local63249-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000158993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:07.790{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000158992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.238{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F542B2796CEE6B61C990A33D9E9841F,SHA256=DAFD26F68BEEC9D56900A759F3503DE82AE889C1FE2B265187268E73AB6D2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:10.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268BCD75D6318133ED599EC07340A088,SHA256=15712EF16645A09611DD316D1117201286A7D2046DC47FB38F7C13DFF91C2D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:11.089{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9514B36CF69C9AD4F330CF1D765783,SHA256=4AAD26C601BCAF5CEA5E400B6E55707AA74AEB4B6FEFC213B2FE4B38380A5068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.802{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86CD3F6A81EE8F903EE7B2A9358D17E4,SHA256=BB3F8196F4D93BA4CB373B4925F34C70968F74C901ABDA795F85F9D9F64C3043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:11.239{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCECCFD5EBEE36CF733744DF8D99061,SHA256=9FB3C88E0F58B79F9A12F9BD280D1620E0304ED3D54176FE15DD6300C98BCA27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:10.054{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53701- 354300x8000000000000000159021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.836{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63808- 354300x8000000000000000159020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.829{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58674-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.827{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local54473- 354300x8000000000000000159017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.826{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-362.attackrange.local58673-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local63249-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000159014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:09.824{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54215- 23542300x8000000000000000159013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:12.270{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8C8A6478B0BA9859FE820DCC7CC7D,SHA256=44D0389DCA2C40323240F757985AFDF7FDF2F5FC1FC2E05EC19C87B3D2A12DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:12.135{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82EBC2EA2E8CECA0D747FEBB1413D43,SHA256=9492B692D8C2CDA0369D8D786BDFE417E8EE39BE3319E4F04D2F63DAB26B38DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:09.788{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:13.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A0CBB60334F0A2D19A4BDE75028EEE,SHA256=6E539658623E20D9E4DE8E8020C64AB4E91730674B30D8AA5C345C213456F16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:13.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5451587FFBC172CC29FAF7DEE6BBA3B0,SHA256=3EACC1D9FF513C81EAA3A926C92AF2AB67FEAEA87A17C5AE89B162761B7F138B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:14.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FAC8C8865BE5D00D8700047A9182A,SHA256=138A5C2CC5857535A08FF80DC18DD36330882B48E12133880779E139D33B6267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:14.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EEFCF2A31FE042247A068BD99DC58F,SHA256=A4FF225B2A1D86167FD1F4D0ECF13C98D707E3C9084F0DFEC9B47FB8FBBB2EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.505{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C72ADE2D9208D776112BD781EAF31,SHA256=66D9668976694B813EC3480E9223DF3094D3AE0C45B64FF6108F8A75860CBFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4803945048F2DBCB02E55ADBA2CA063,SHA256=D8CA0163AA68685D02F2714CE144091E255103C5707F607191E8D183BEAD60A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:16.520{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98D9C4CEC45622D704AD98E3398EE6F,SHA256=9D0BBA926D1347EEC12AAB50BC1A7CB243DC2A6946F893A84430FB07C7D1ABAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08871F13ECC986A558ECBE9DCB11198,SHA256=9E9E28C46BAE206223CE68BB60C48B3C5AE7EFE1ED7367F91B24E9D4C5436A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:16.245{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.792{147D18E0-2A51-618E-6101-000000000702}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:17.526{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069E335D0842054E6C1C8855B5689341,SHA256=0F79121078DD77F1B66B8D473E648E8B08361FD2CF075817CC0E0909404AA286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:15.199{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:17.536{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D50AB038CD756E3541979516DF18A9,SHA256=DC7B91E3B33F2865BBA668B4E8B711166A0EEBDE3BAFFF4A450A022507D9BA02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.552{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478307B02677CABA748C74BC398C8C5A,SHA256=9555045DAA0595EF9B526DBE7C25A8D5005CA00CDB6D296F6A982E8D831C2731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A173511C0419C053E968FFDB44D0E38,SHA256=9DC1A37EF0A6F4CEC22F3C2C78FE49F112B0EEC6231C7D1A1A962EFF4F578B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.666{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.667{147D18E0-2A52-618E-6201-000000000702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:18.541{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B7D4776608EFC1E911479944DA50B,SHA256=6EB75A9F79BA992DD4154C6242DD4BF7983DB88EC427AFE1253AF462BE6B64D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:15.772{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:18.255{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC8BF733F83F39504EFC676EAD21D46,SHA256=BD12E8D72B8DC804DA69AF02CFE227FBD4A3D7EFC6FC75B6704E963A9DCC1B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:19.770{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02DE47378DC2683C026E4A3BA8593E8,SHA256=2FE687D8E9D6DA4ABFF6D4D204579E5F523274F497E7F779ADB110B4401E902B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10401D6A02275DD38EE6412C607ED136,SHA256=DCF9505B0BE3BA031F8300A0566EDA7920A9FED17E137B6781BFA80AEA5B777E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.385{147D18E0-2A53-618E-6301-000000000702}26281196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.182{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:19.183{147D18E0-2A53-618E-6301-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.619{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C58EDF9B4C28570AEEF2F2C199C0E8,SHA256=67DAEEC8174D35C2007F90AA20F85881FCCA4F5749D5664C544FD0224E9ECE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7301-000000000602}49281336C:\Windows\system32\conhost.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.239{189417FC-29A4-618E-7201-000000000602}42484444C:\Windows\system32\cmd.exe{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:20.241{189417FC-2A54-618E-8C01-000000000602}4288C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exerouteC:\Users\Administrator\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-29A4-618E-7201-000000000602}4248C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:20.229{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89FBF91AF5DDB1A74BA806B8575B859,SHA256=946C367080C8E0D0981594AE863AEC502D7E7128A951DA2C3A0F4E2D98867078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.870{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3216ABE2ACA4127E3D09FE7C54D3D68,SHA256=08FBB8C615CC24769B6EB8C0AFD6EB6FBB7F76235ECDF54883A1441984A8791C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.838{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.839{147D18E0-2A55-618E-6501-000000000702}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.427{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F42B710F4603C8FE48F277DD06B323,SHA256=C3F15B06941DD18129D3F94717D53BB5945089BFC7724F48D0D7C34DE08A1238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.005{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C020A63836E73068221A4E2D5A23BE,SHA256=FF0B6E3EB049D01BD198DC46BCAB02AB5ACBF9B293BDAA4CE659BC68376685CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.291{147D18E0-2A55-618E-6401-000000000702}35323512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.119{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.120{147D18E0-2A55-618E-6401-000000000702}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.510{147D18E0-2A56-618E-6601-000000000702}26201004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.338{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.339{147D18E0-2A56-618E-6601-000000000702}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.182{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC38FBAECA105DE446E98349EEBD17C,SHA256=F6CF9025AC6EA2E91C6B7B8A6BFEE6DD2B6001EE7343B29603709673ECE61241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:22.088{147D18E0-2A55-618E-6501-000000000702}16002864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.036{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B682A19183BF22C722BDF6359B7E4DC3,SHA256=ED695431F8BDC97EFC3AB589A10C49B1BE58DE1EEC39DAF8D95AB94551497189,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:21.616{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE3ED1B131A6108FAD6B8B9A02BDE9A,SHA256=D67A61C5E259F539CFFB6BD64F045A436B65414EE0C6A011954706F13A086219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:23.369{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D73C38EF49F3C6F05AD953B621F463,SHA256=8F11EA0ADB028086C7CC486ED10E532476807FEE580C55CD37A8567B8EE21843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:21.167{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.380{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:23.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F99F443456ED879602A665D790A0387,SHA256=49F16547AD1D44EA2CCB693A6CC7C74D27E8378B1ADF4EA954836B1DED861527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ECC33A7030CD3068859D7E84DE49E1,SHA256=602D9CB750D478BC116613AEDA232F34DF0F061341AF4697140D16348F40C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:24.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3716832B0F643F3EA497B8E0FC89AAC4,SHA256=F8B24E0B32C1AE3454DDDB9822D8C59F5592F94A3D301A66B550974E3F88FD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.291{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:24.292{147D18E0-2A58-618E-6701-000000000702}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BAA488EE5CA0BABB8F6F0A0B2C542A,SHA256=D4337B5FFBE5B0880FBD3384509901817F9548EBEABB8D4985765A1F707B3F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:22.386{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:25.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7F30F4237D014939CCAABED446A857,SHA256=5BA6AA0145BB50B7F47D266EB46F4BDEEA36722D269FC99355046414CD691283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:25.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55545054141098C7A4F5AE6D0703E6E7,SHA256=64D69C2C7C0ED5D28F7D9D568C5D7D93ADBBB7F8EA7506AE6C0F50624A01E469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:26.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577D67C38AA2EAFBFA7746848C2592B8,SHA256=FCBFC84D1CAC6BB6AF406AFDE24E618EEFA3FB72D7F00F776A26CFB5B2247D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:26.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9DEC7F502B6F43103880E5BE3B847,SHA256=596ABBA2F95DE1FAF78F7BEEF0D6659EFD4D39D8AA2B761B50C8F60515D661D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:27.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEA8566EAF1D418DBFF93B083E681CB,SHA256=BD7B1E20BFE09592D8AF5A1C717B4585EEB587B9B16F9551A47F7433A894AB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:27.115{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FAF3C585C391A4DD234A0EF182505E,SHA256=DF6588ECB7E216A72499DE8A02FA60C99CE1E2D74DFBDCF5266463DD3CD1C532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:28.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7241AC2B6847728787F11374C69A0D,SHA256=78176BDE1D6869F650A4B49B37EAFA574C0681C2D9322144E6A047B7DB077923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:28.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403ACAC1AA632FB64522DB893292C075,SHA256=4EDA706F2F1CB9E4999E5322B7EC9629356206EA83C75484A879AC8CAC115F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:29.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABB512B7A2153FCD63A056D04B9BA95,SHA256=5A064E24BF1E77FC5CE22058D716326370692A370A92ABD8FD32D9D9AB1C36E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159054Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:29.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94466F32A93725AEE73A22E647D91BC9,SHA256=9FC7E0196CD156CFAFA24BD561407BD8EB6349A565A0AB0BBF771595772E76B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118627Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:26.772{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118629Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:30.884{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C89FEA1140A6C582F30C67691D646,SHA256=228B7EEB3D434650A6C126E165E1307843A2C8F009949C5405F574810539B57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159056Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:30.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE51AD0058EC10D1AA51B4972CA34D55,SHA256=43DBCD65CE234D5AA26E374C9C36A9D4F6955E0E900011C3091647F9A68EA874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159055Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:27.075{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118630Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:31.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E58BD3EB2D8096B055C87BE6E46E8B,SHA256=FDF07181D714E43EE3547500174922414A193FE52B8D1264C89F4AE38BF073EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159057Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:31.240{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4754139344570B0202C435DFFA3CEED5,SHA256=F5976CAF80BAD6ECF3CFE777F7B3C1665CA6FC2E667532072DDFC53F5A8A0EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118631Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:32.994{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934F430B834CBA4D6E65637B898791FC,SHA256=1BABE11177B7438FDD7E54FD06B7223A8A7F9471E4A70CE9E056A82774A9C14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159058Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:32.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA1B8D142CD01C900F2ADD9194FC26D,SHA256=B42F1E83B0D34751C7142EEAFE71EE4173502D632140E499F52F23E6CDCA6F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159059Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:33.553{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394BAF23101B9679298701D59D567DBD,SHA256=82D8C13ADC53DF1EB86C1F0C2EA5DAF52CF4EC978B4BC845FB1490046A57485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159060Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:34.615{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A734DC84565A37B0AE10D388BCF59608,SHA256=72DB0266AE4A1CEE07D8DE8328C40D1D6458D8F033530450F01D902F6273C5EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118633Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:32.553{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118632Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:34.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0863E18CF549F8380FEE4DF82C2AB58A,SHA256=AE32FC22DE657B8E0767C2D6B364AA2CA1CC8641497E8AD3A3767B4EB798F00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159062Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:35.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E55EE9AE025C0D50BCAAB2E099B8FE,SHA256=A4CC607D39C715D773A8CE81E3DC54470CFFECD25658FDB9A18ED30E3BC633CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118634Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:35.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91BB8F5DE840218575D79A061675F92,SHA256=4C30BA5696F31BEA15535C1059C3125C5E0D2C6BB19F632D8D7BDD0257C2E066,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159061Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:32.231{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159071Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159070Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159069Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159068Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159067Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159066Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159065Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159064Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.929{189417FC-2A64-618E-8D01-000000000602}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159063Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.647{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414E1C4C9F4D30A8670331D0350E020F,SHA256=9BEC9BE116E41DB2F60B556372C794916DAD91DCE96B4042D9D06DD1D53C3152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118635Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:36.072{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1636AF111077BC4567F9F760E8B5FF,SHA256=9C64103DEFEEFF290C8D2D141DC3278B341FA2D621142FCA34705B184FCAAC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159091Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D915E5E67CB5AE94AD810C6601F057,SHA256=FD7A51726CB003EF582C8C861B992CE9CF57D882BFA4D6A5214E7140E10F79CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159090Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B182AAB2C773E87059BA88D3E3F2110E,SHA256=8AE2424E7D4EE757901AE835ACF3781D1E765F79FF23E04BCE6B704C73F77C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159089Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159088Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159087Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159086Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159085Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159084Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159083Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159082Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.929{189417FC-2A65-618E-8F01-000000000602}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159081Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1EEA1503DC03D680BB0DF39D957366,SHA256=5E9C265261F4C9860F76C9F4CF7019B32B6F25AEFAEA74BC3B96F511932CAA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118636Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:37.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB7EB72739AEF7F346C5DE298FD7B1B,SHA256=07C16DB5C0D5DA9291A45416020D4C62F1853E50086C1427330005EBB211FA70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159080Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.647{189417FC-2A65-618E-8E01-000000000602}50042308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159079Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159078Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159077Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159076Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159075Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159074Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159073Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.428{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159072Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:37.429{189417FC-2A65-618E-8E01-000000000602}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159092Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.912{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942FB924BF2A0D789F586CA30279DE3D,SHA256=991024E76E96AAA17F9D73BF93C2310A457CAF8718C2F9A2B5DC793054BC0914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118637Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:38.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D73F7E8D5669FA729802CFB42E68E62,SHA256=F148ED4D7BFD07F0E3424D43FFD3C61AA8E0CB924851C887BCCE5D5AB7CC2AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159098Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:39.914{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E32627D4050678BD3AAC33F8F327EE,SHA256=DE9A0ABF60F457F556E68167A3BDDC25A40BF664067C47E16D749F2E1C38DE97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118639Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:37.788{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118638Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:39.103{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFD6BA2DC5D2CA945659818A99CBA15,SHA256=0A6DFE215E484D686A3502141CA2800FC76ED3D6FA2FD6A1E6EA8109F577DD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159097Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.825{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58681-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159096Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:36.825{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58681-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 13241300x8000000000000000159095Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.522{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000159094Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.506{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Config SourceDWORD (0x00000001) 13241300x8000000000000000159093Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:39.506{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5BC8AA72-1F28-4E14-BC80-83159E61745C.XML 23542300x8000000000000000159114Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.928{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D38C495B4104FE99A558A4D7D6B3C5,SHA256=FC8A3D7AFD1556D3ED83A5C4268F973502FF3894F84B6C4BA9E97ED93A6ABDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118640Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:40.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CD70651F99C2600F441E62ECB6BC06,SHA256=7F4269FDD1D63835AFBF263BD289962B17DD280F4F46CC146D06E8EBA366B0FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159113Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.546{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58684-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159112Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.546{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58684-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 10341000x8000000000000000159111Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.537{189417FC-2A68-618E-9001-000000000602}18322452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159110Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.522{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D915E5E67CB5AE94AD810C6601F057,SHA256=FD7A51726CB003EF582C8C861B992CE9CF57D882BFA4D6A5214E7140E10F79CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159109Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.530{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58683-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159108Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.530{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58683-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159107Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159106Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159105Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159104Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159103Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159102Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159101Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159100Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159099Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:40.350{189417FC-2A68-618E-9001-000000000602}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159135Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.944{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E175F71FD349B555DA579F791E8373,SHA256=07DA6650E27963C9988B7E82405791AA53156EFD6F7E56775737BF8549350909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118641Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:41.197{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D44BC9A6F7EECFB232DF65031D245D,SHA256=8A0044F72CE023FF7F179C8A0EC6A39B45929987CA5C0D57135D292C16DDA486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159134Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.865{189417FC-2A69-618E-9201-000000000602}384356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159133Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159132Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159131Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159130Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159129Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159128Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159127Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159126Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.694{189417FC-2A69-618E-9201-000000000602}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159125Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.553{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58685-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159124Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:38.553{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58685-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 10341000x8000000000000000159123Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.194{189417FC-2A69-618E-9101-000000000602}45803600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159122Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159121Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159120Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159119Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159118Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159117Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159116Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159115Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:41.022{189417FC-2A69-618E-9101-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159137Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:42.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EE800B0AA8A0074545F6695D65563,SHA256=77963F1BE5859B3A9C88D4BAA618084B8ACFCE305BBBB713673B89F3C701683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118642Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:42.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57946283C8BD9615F24A7FE6508662F,SHA256=D6C8A29B5B6923F421458C2D1E2F626CD6670C4490AB9C677931F2FCF9717E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159136Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:42.240{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971ADB6B4D277D76895F0A61523FDA79,SHA256=808777D57C6979AE5513331F3B2AB95FFF099972D0970FCAA34D2127D8AA86AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159146Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62DAE85091571048DFA9CA2FA95D773,SHA256=DCA27BBF9034AC3438BC88F944A11516D9EBA67037DCD7436B404372F38CA869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118643Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:43.259{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1043D65B2CF916A2DAC9138638EEA3,SHA256=AC2907F7EF919472FC6F9F34AABB7122249FD631A2793C91589D159297C791E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159145Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159144Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159143Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159142Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159141Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159140Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159139Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.459{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159138Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:43.460{189417FC-2A6B-618E-9301-000000000602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159148Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.975{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3D25DA9EED3DD8967F73AF3BD7B04D,SHA256=E590C6CE7B1E30B094C9C024708B0CDE1083ADB5A62A61B18C283C0229CA0442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118644Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:44.275{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD9C08DD8B33E03AFBF4631796AB4A7,SHA256=AA9B77065981E6B98DADE881FC014BE634220C9F33D191A91F45295A85C5B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159147Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3524F26D5BA3BBA4DC3560B371532DCA,SHA256=6F9227C88CB4D5925B22CCF781A54E3B22D9CD64F0E35228C7C03171F58F68F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159150Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:45.975{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956F936A99E717A335E4E908F773333A,SHA256=923D869364B2F7B5BC1A025DDF847D240134AE7E0E95D48AE683D1E2C6B8ACBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118645Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:45.321{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB06138BC39CC59F0789C16F03A9E9AC,SHA256=381DCD8FC7CBAEE6FAD0F7E1BBD1AC82E08AF8683E4A5283B77530121F3B579F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000159149Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:48:45.303{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a2-0x1a15e814) 23542300x8000000000000000118647Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:46.321{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2913A07FFC80A86D32145CC5E1848224,SHA256=D62200AE54202810BEBC7F1B0D8504FF4A5CB7E0492FC41D14F0D462789D8F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159151Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:44.059{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118646Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:43.553{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118648Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:47.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB879CCE0D421025F8E4419911418EA5,SHA256=C1AE2F077F21DB409EB6874EDBFCF13AD028807A151F69311F672B6048B7D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159152Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.022{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFAFD3E789BDE85C56ED0AA18147E92,SHA256=9C455CC4E77EBEEA33CE57E01B52326874F00D34413BDCD5BE25E5C5D434C71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118649Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:48.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E8E405AE2171043980E4D35B4AF0F0,SHA256=B6CEACFEFC7F00592579DAF48DAC6A9254443A4B4DE1628C1A1F74ABA65A7E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159153Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AD4C72829681814864BBCBBA37F1AE,SHA256=81BAD6E1D91C0C54F738DD8B678717168722EF56170C112D1FA5A4B9263023BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118650Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:49.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF706357C368EB931FE6AE396D6955E7,SHA256=33C6BB03339A48CC7A975B1E80AFE57AC98C9B00DA19370683EAFAD9336BA9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159154Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.131{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93AA64C93E40F54EE6980C889FC83E1,SHA256=B20C0328AEAA0A66109684BD9342BE7EF2CDB9C8E36F4379B81471A7169657FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118651Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:50.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5265D739EB7D672153A9963F8F5A1077,SHA256=B2B338BD24B1A535D453F3C21041E0268552595B1E799542FE504AA7951BC296,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159158Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.577{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58687-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000159157Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:47.577{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58687-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 23542300x8000000000000000159156Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEC2FB27B24971E7A66973DDA10E53C,SHA256=D30AB071ADA532F8AE8711BD8F088EB6208EBEB675780891064ADEBFE0587071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159155Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.084{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+31345|C:\Windows\system32\lsasrv.dll+2f1db|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000118653Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:51.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC51A8B1692C67AE38B6C095951814D,SHA256=F8351B795D226E2864EC684C5B4ED6B808222E05CB7C65E72088022E2BF2B3B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159170Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159169Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.012{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58691-false10.0.1.14win-dc-362.attackrange.local389ldap 354300x8000000000000000159168Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.012{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58691-false10.0.1.14win-dc-362.attackrange.local389ldap 23542300x8000000000000000159167Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:51.147{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6C11F533A9E44D94DBDDA7CE04442D,SHA256=9DD1CE1BDB43D2938F31BA839122D7D465818B2A77CC360D9C21F38B2312D01D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159166Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58690-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159165Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58690-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000159164Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58689-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000159163Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:49.000{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58689-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000159162Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.999{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58688-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000159161Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:48.999{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58688-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000118652Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:48.773{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159160Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBDC0AE90920BDE1EAF15623160A8A4,SHA256=3D60D0F06BF12911136C4BA1E42445F8DB242220AE94D00B07091793FF9BE60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159159Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:50.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F29D19306BC71DD6CCB5490804EF2E40,SHA256=1926B0912D3E3FB376C0963A74C57940B6ED4E9E24752B4E0A884C304CF3C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118655Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:52.434{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-029MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118654Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:52.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E41DCAB6FDE76A949B5A6527A541A40,SHA256=447B2CCDF7C3E6A40862E1FCA36677E965D14547461428F7C3460A0B2BE8169F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159171Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:52.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B87053F4CD508F2D893960100C1EBE6,SHA256=9ED1BDEF79D54FEB9305CCBC5CF4C677237C5584A18459A1F316D8F9D0733D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159172Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:53.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B5CB302C26F6D3B1DA23428D979013,SHA256=67BBA6D50649C545B41FE3E6033B7DBBB03C11032478C9A513964CA85E0FBC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118657Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:53.432{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118656Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:53.415{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D34BBD3622C45CC0A41953889033759,SHA256=4FF811B7E29AC4E65D1501478E898456CA537FC56EF992C5350FE6DA2EEF1B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118658Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:54.416{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BED73651DDBA2DDF0C0C390B475671,SHA256=26AE6D6FE6DA82042ED69FF957113B4753E6624184593CB99A70BA4F431A2CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159173Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:54.397{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270C98129FF7DECD781EF200BDA45796,SHA256=85C6F2458ACB3E2C172CB3EBB01005929F4BB91EAEF9FF68F47692F730CFFE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118659Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:55.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FD35C5F3B4BDD5CFAF5D4B88EE863F,SHA256=302C7A7E726A47333296D6B69B6A18497AB188C15F9E4A31463F6617447BA3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159174Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:55.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF16714386D6C8271C2F2A3023199E9,SHA256=EE49D15AD00529EEE3C3F46C671B08D4D2A59F3E308ECC9E37025A677F4439DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118660Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:56.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75932514671AA396C2FD4C6670BB38DF,SHA256=1DA80FC41670EE57E52212C3D5907ED38A2E79725C913101B94C9F29B266643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159175Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:56.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C1FC57AC0BBB993576CBD1A7FF8FE0,SHA256=2B7D9C5867F0E2F21AF32BAF8E20D358D01933DBEBB4EEDA81FC628D23C2261D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159176Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:57.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09A1420721F33ACE4D478C5D73DD33E,SHA256=7453AF3F754636FB7B0D862DD53B3BB55FA6B1E76E15C4E096632169B9DDA948,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118662Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:54.727{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118661Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:57.432{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74BEBE063E89415408BFBF2621C1164,SHA256=01EC2D79154DF6274FDF8F07C2FA704804F7730D84AEAAA7002B88106C93E442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159178Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:58.662{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF39D91849C5B675B7C7E267782EB4B3,SHA256=5E1FBA593FF8B70DA717908771F74A983E988A82AD6B6182D8C42637DE3968A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118663Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:58.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC876FE765BCD8E8127A9E09CCB345B9,SHA256=04BC889BA68D8616D83282A5992A5F3618A49FF727F4CEB2D8548E23A3A8058D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159177Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:55.122{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159179Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:48:59.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C6129EE2A87139EFC4E488D83CD533,SHA256=378E5D7819F4FDE9567F8B2B9D0EA8FAF083D8A43CD8F37180424C5D2F064E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118664Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:48:59.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14515998BDDDD086210CB4E3B64927D,SHA256=49CA2E8E36D32BFE4260143ECA1C5B809AC48E773DC7B73AE3C479170B038D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159180Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:00.772{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C497FF01572DB9C737CDD38BFE73FB03,SHA256=B0665AE2DD103F7D014FC32810D918D678915BC5062EE823AE8113C2BD639E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118665Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:00.463{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A055CAC49CFF89BB8464C2574584B174,SHA256=388A85741C35B7C6E0620461BCDCD317E81763B8D8175BC68FFAED5D07B01C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118666Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:01.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96308ABE12191D379855F72464690677,SHA256=747AE23E2A904DE7B61021B228E2D17FE7A954178EEAF5EE9FB938A9350F4586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159181Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:01.787{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0632DDDA5E7651665FA8C348827D6CD6,SHA256=67102E968E0E977C32754F7BBFC0A5C7EA8ED40C69CD5A036F7CF91D12BB5F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159183Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:02.834{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4741293999035291FC8C24832268A675,SHA256=2A1546459AB1C8047D5953D96C9EE111A11A64D6FCD9C4CCFB44C8CBE25E468C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118667Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:02.557{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602A057B25BD580E6264A45BB1E53041,SHA256=311B1B9D1B000426F42047C7F52CE7B9F1E6E5F30164ABE20AD2D76A506178F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159182Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:00.200{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159184Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:03.865{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD70F6D6438D1F07E75A27D145F0E0D,SHA256=AD167A3D79D0244D7F4E77D243C055546DF2CC4944D461551FB5BACDAAA09620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118669Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:03.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C005081CAFD6E7EA23B58720F9BF1F,SHA256=B2016C95F8AD94974F0DEAA3CFA29CDC01A1EB045B40C3E2AEB718702E4DDB99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118668Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:00.711{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118670Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:04.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710A02FAACA03470BA7CE32CE58AD33F,SHA256=2CC6B806241E8DD7800129897D665260945270D9999C2674A35C730542669D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118672Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:05.635{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424BE944872E0905ADD09A66092A7EA8,SHA256=BE578A7CFC4D87F24D9D3F133E2C39140E56C5D0815576C5C1E12296CF187C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159187Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7259ECFC944B994ADE484AB09FDE40D8,SHA256=EB09559DF8B10D18518ED0D67FEF9B4BC496112996127DAC5BE71DDB39B56B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159186Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CBDC0AE90920BDE1EAF15623160A8A4,SHA256=3D60D0F06BF12911136C4BA1E42445F8DB242220AE94D00B07091793FF9BE60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159185Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:05.022{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D15063D7205BA3945BC93B0188B81CC,SHA256=7BCB7A2EFEE755542DB627060F34F16CC573F7AC87C37A52732DC16B404DD2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118671Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:05.619{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F698D2229E2378E36EB5169BAC546F74,SHA256=B6A46D5512F3134E585932F0493A9D408F9FDAE4E1F2913DD1F45B89DC7331F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118673Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:06.635{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D12D9EA83F9C8956B688F19E0AC0C6,SHA256=CDE58A9FFD2F2539EA4DF9DD69E6F3D6A1055E91774A0AD6BC9B012E214004AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159188Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:06.053{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FF3F7F492D196C6EB17E589D33D471,SHA256=A089AF4B57C8C31FB1998EFCCA09B4F9A6962D75A9DC3ABA919928AC6441A4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118674Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:07.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3156F2D1C90E79616916F84E9AD169C2,SHA256=F658F806429FAB049E697D1D13CCA9EC4667D026D1F898EFC68D316509F00FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159189Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:07.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7525F878D07AD94A29DED16F0A4A66B0,SHA256=5CF7B7484F0AE165D6131901B2783E05471E554D3735A8CC545097E836AE2E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118675Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:08.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213CACDEE0C697EA5EC76BCA180C0675,SHA256=BBEEB0C7D49BCF9D6C395AA4E4A94C0C977B66699F72CA77566A805774BC7BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159192Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:06.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159191Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:08.693{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12C2E887E612BBB82004988343C4BA5A,SHA256=A3EB2FC18E22503494F88F0CEFAF8AC7E48A07F40CE499E3B710C6B4B4C84B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159190Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:08.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB2540FAE155295778FC184FECB79EE,SHA256=FFE2A18725B2F64FEB4A6105885C66A65C79BDC5A3F9AACA92384FBEFFBB2D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118677Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:09.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F797E38E5E3BCD4ACFDC3E177291A,SHA256=A2C419CB6EDB742F41E08244F17776824C301772A3EFC54F78CC6EA1C84EBEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159193Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:09.397{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD41645AAB2C04219FF51781F574562,SHA256=1E8D769F903F90400ADE94DAA8A575927D169CB9D79211EF27EDDF85F8E3B7DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118676Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:06.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159194Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:10.506{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A8C47AEA7D551DB4567726E165B46,SHA256=3B08CBA147E0BD1FBDC299EE05EE619027FB338CBFD4C08503AEEEBF8C101F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118678Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:10.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E6E538AD9D7418AF1739B4D951543F,SHA256=46637F8728347A9788653D3295187B1E9E7A64E1CA5E6BAD7D639092630C7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159196Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.551{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C85429BD363426537FAF96185B78F24,SHA256=F291430E60CF8D18C9153470E82777F58B6B74ADBF268624CECF41D9802EABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118679Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:11.744{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77AEEC12A3BFCAB1D3BBC05D9371115,SHA256=90C9A3E99F6261A0868CE79D93930A689C09B2EDAA890FBB6E9892FEBBDB8902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159195Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.103{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-029MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159198Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:12.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED5A5EE9FBF793BCEF88C96279DE5AA,SHA256=545197E327F5F3DF45DC3853E408D5A6443692C4155FC5000DDE6869A7319C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118680Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:12.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5BC951E304D49D9365E9A7B4DE372,SHA256=CE235D47ABE3AEE504859CDFC97D2B025BE43E4AAF5D9AF3AE46E9E86AFBD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159197Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:12.114{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159199Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:13.709{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43157D810347A99885B0CFC3935EE690,SHA256=EF88BED385E56021F5EB29EAB05C5BCA40313813C7F3221C88277792C6BC6BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118681Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:13.806{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D82B29F2F650B40FDC0F91F6227D374,SHA256=CF04407BFA10F0EF3E68DDA4AA11EEDF0FCF993A4EDAABAF2254BCC41DD3A7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159200Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:14.865{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073B722793DF5F872D590D354DFE53EB,SHA256=66C971D79F5AA663C96761D5C94AA046CE0053E7B9CB8AF2ED3B63A904AFC52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118682Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:14.947{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0295B5CCB074F91645D12007E3B6A,SHA256=830588968352C004961CA471FA08EA2DDFF83FB16DB5EF13FAA37EB7F648ECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159202Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:15.912{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149A139564FFA93C47889E1690E47658,SHA256=F823AA9AC4BFE68CCB87BF53530A0FC391DD94B55368C70727DAA87C64BB313A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159201Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:11.258{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000118683Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:12.727{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159203Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:16.928{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47A946DB475000630CE100DE1B143C6,SHA256=4554DEA47F8AB926A61A4502AB9A26AB67D3F4A0A998BBEA8809849C17DFF34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118685Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:16.259{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118684Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:16.072{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543520702CC2060D68F0677FF29D383,SHA256=407C7E74B4BECD68AAA4A340931D06CC068106A50E99918B7CCA63D7604B1598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159204Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:17.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46995FE6B29945CDC4A28FD99CBC12DC,SHA256=227420A9D84A7B9C983C54FAE5376E94444E7BC59B5D07FCBD4DA3AFE92B8AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118700Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118699Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118698Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118697Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118696Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118695Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118694Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118693Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118692Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118691Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118690Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118689Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118688Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.791{147D18E0-2A8D-618E-6801-000000000702}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118687Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:15.789{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000118686Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:17.134{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94153EC1CBECF902500AAB16496D6C85,SHA256=8C5D5C92374772F09F2A438EE68FBC43D013CA01DE1267992A665E98E9486164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159205Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:18.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9E07FB7E67C08D8372257F8F06BFEA,SHA256=4F73F2B4F648B46351A89DB7771E26243A504FD121DA030242B5807E9507A027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118717Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.884{147D18E0-2A8E-618E-6901-000000000702}32323432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118716Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.869{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3BA05C3C4B05C41E80EFD7B91B478F,SHA256=933559BCCC6F7EFD120105E0FD0E03832EEA8F705A10105BBC5037845E7057A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118715Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.869{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768D7E7C12C4EADC8A94463C8B280752,SHA256=BAD9CB4CE48DB441F385F875FA81A1136AA2C9285B9CDEA52D1A4AE8DDBB0761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118714Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118713Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118712Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118711Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118710Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118709Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118708Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118707Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118706Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118705Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118704Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118703Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.634{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118702Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.636{147D18E0-2A8E-618E-6901-000000000702}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118701Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A0E4382451B2BBAEA7D6A8391B1629,SHA256=96FD075A9F158ACE1F1D7B7CDE5FD130DC84086C512509D7559A8FE755526BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159206Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:19.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF55881C90789DC174DF7F76A8E5636A,SHA256=6B2DF2F34E2D4C67F41D92073B8618C7ED08C9E51FB339639BC8BC2D81C5E4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118731Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.213{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98427A10EFC6B684F29E64C1E6816299,SHA256=A9C7AA2745F5161AA51166BBE98A8A3126D157F40015A3377FE203F23B86E9A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118730Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118729Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118728Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118727Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118726Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118725Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118724Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118723Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118722Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118721Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118720Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118719Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.134{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118718Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:19.135{147D18E0-2A8F-618E-6A01-000000000702}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118734Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:18.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118733Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:20.212{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB682817B4951EA191444224276ACB8,SHA256=D1801F8F031312A4E6CC6762325E2EC1D76C9A3E962DB094B9D52BA4C1EB4004,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159207Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:17.168{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118732Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:20.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3BA05C3C4B05C41E80EFD7B91B478F,SHA256=933559BCCC6F7EFD120105E0FD0E03832EEA8F705A10105BBC5037845E7057A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118762Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118761Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118760Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118759Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118758Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118757Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118756Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118755Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118754Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118753Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118752Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118751Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.837{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118750Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.838{147D18E0-2A91-618E-6C01-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118749Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.322{147D18E0-2A91-618E-6B01-000000000702}24801248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118748Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2697DBA1497B0CA731C864BB5CA03F43,SHA256=9A8E95129F8C481BB612FD5F272AFE8CD1F867B92D49B74A5E906DE781B0F8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159208Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:21.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DBF9DC1DCFF3E61CA79F3AF31C8029,SHA256=3FE6D9C00695B024F314AFB6B8D795A94048519778C6182FB9BB44CED841D6E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118747Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118746Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118745Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118744Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118743Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118742Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118741Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118740Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118739Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118738Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118737Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118736Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.134{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118735Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:21.135{147D18E0-2A91-618E-6B01-000000000702}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118779Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.556{147D18E0-2A92-618E-6D01-000000000702}26603052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118778Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C103B2BEB6DF99D7B31FB965B3D8B,SHA256=28E88A46C4217CD29BB1A1543EC7B686990AFF4D60C80B618DF0FE588F1A97F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118777Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118776Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118775Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118774Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118773Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118772Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118771Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118770Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118769Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118768Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118767Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118766Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.353{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118765Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.354{147D18E0-2A92-618E-6D01-000000000702}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159209Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:22.068{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE05EAD3895887382FB9234C6531106,SHA256=2B85DDEAA4588E4C00CA9ED5501485A6365C18121D1C93DCA263CFB1C606755D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118764Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.212{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F6A1004DA65DBD025E0D394B7608FE8,SHA256=A4958036B30269BE713961B2633C7D944AA3AF42C2B4CBE1ADB120ECD17A1623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118763Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:22.087{147D18E0-2A91-618E-6C01-000000000702}31123108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118781Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:23.509{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE43DCA2660DD93F0D8DF77922297B9,SHA256=8544231B447D991AF4387049BF06AD8462A87DC129CA537B82768DAC4B191F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159211Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.396{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159210Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.178{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2E1CF5DF4653FE627FADED8B647491,SHA256=2D8B58E4323B2CEAD95656588DA98FA9BBEBAA6C213870B5943C264878105202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118780Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:23.384{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF9D897E530B99EF52ADC1A68D8C33F5,SHA256=B9E2A4BB0D220C4A717A49FFDA2D35A5E05872B73A68A9F91E1ACE993476DCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159212Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:24.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213021B7B9C056B513E7547D5B93F441,SHA256=7F2365DFA50187AD46F566A365492193AB33A2C0306E638CAC30599B34692B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118795Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.525{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DDC0D52D74D1EF0D4F6FA0C210EBD4,SHA256=4528E21EEE88BD0E76756C7F7FAB0AEB70B0AB1AEF744157DEDF7FE6FC6F0D89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118794Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118793Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118792Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118791Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118790Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118789Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118788Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118787Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118786Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118785Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118784Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118783Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.306{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118782Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.307{147D18E0-2A94-618E-6E01-000000000702}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159214Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:22.403{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000159213Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:25.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2D3D927F6F41C69427B16CAD1801DE,SHA256=4ACE6C1A83104BEC80991F9BA3A471233DBE1B1F871194FCF04745820448F2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118797Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:25.556{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE105CEB8F5C9CBE7BA64B84450EF509,SHA256=8828185DD3CE7629F4053020F80F889AEA16D3C4BEFF53DA396C091F3D97F598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118796Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:25.525{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDB1E23F31EC0CD3F0BB40A45F9B959,SHA256=9C17C5AF91A51E5FE2BDCD2862A2018A54F60C04A14C49874ABD48DD6D035522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118799Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:24.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118798Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:26.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55763AFAC9B86C01C98303006B37179,SHA256=DDCDF13CCACA702193F2A82D0F19E0A03DAF557EC109162F0AB2FDE539493FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159216Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:23.074{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159215Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:26.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B333B28C9D03F87F1782B5231EFBFB3,SHA256=9D18B898FD804C04F2592384033AA367AEA069D749057F4BEDB6C5AB4B3D882B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118800Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:27.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B87CB8C3D6596556A31962ACFC25BC9,SHA256=9FC52FD0C2616BC0EEDDBA5C959C01E849AC2E8DC9595F5A0BFC40F1EE586DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159217Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:27.396{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF9ABA25E7F65383C5970B765E35203,SHA256=527A553D3107A04446A3B460EFF210770B81429DD7F1D588EB19EE5B81E8101B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118801Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:28.650{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDFE9070299683DD3F991FA6C721C8B,SHA256=A1CC7E6493CAF260CDA03E2CAADC5ED496F7967B8BFDDBCC58CFCC591BBEE2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159218Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:28.412{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BACC04FB32A9DD398EBC57A547DA7E9,SHA256=C4A269A59208BF8672A9BC0AA4165850C4D19FC173B0AC86105AE11A2AE91F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159219Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:29.428{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951517BE82571875652D6C95E10AA054,SHA256=08695AA2D252AA196ECB62A73DB9E4D160957B51A13611FC87E36600F7F4B55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118802Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:29.681{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE15B4E2A5EC7E727D75640604274908,SHA256=677E70DAB625527E342E1AD1D0EEA55D5B158EB36288AA0CBE38BC8C019FAD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159220Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:30.443{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FEAD7E24B27AF5C8887FE059FA95F2,SHA256=2AEF18458C62FE74E0EE1130E7AF57106E3C43F411E53FB3566A016721E2A78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118803Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:30.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4840A9F42024F07C638A3AD1ADE61D,SHA256=F217D1AEC019C752E9B68E5D6C493E9AC921F78C77780292AEC2B99B96591A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159222Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:31.647{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C30A15B6178C9532C9F86776CACBB6,SHA256=1BF2DA649FFF7ED30C776B146237A9FCCC5CB31F149B5F0DB5FD5A5D227FA179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118804Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:31.712{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB976304C984297D4C0CBACB4DDAD7,SHA256=A1D1AD3E8C9CC942EA431C5395E833E5ED962BEA3F3C2919A5C3C46656F476CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159221Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:28.215{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159223Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:32.756{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B18A77626353B51611CC7CB0C73602,SHA256=D454A404D386C0198F46D1C29379D7454F0C8A6DA65941FD1DCD67EA9CA26126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118805Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:32.728{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26FB93F4769D74F691CDE14D462BB,SHA256=6155C9FB48EBCD58CB6814B925836052D65A60D6110300B8B4E9651B517A5F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159224Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:33.771{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333BB8629C8D7CF7A4C6A84FE4AE4CD9,SHA256=7F76F4ACDE8F3F8A5D97E1EAB776F2FF779EA74CADBEC0B2B7FC39A090D17959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118807Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:33.728{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CE9817078FC0D6230FFC0BD46DA44D,SHA256=F481A637442A44B6F3A25DB44D6A2E9DF1AC12AFC8D424507A0B8AC01212A9B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118806Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:30.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159225Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:34.787{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E376B37E1A8FE9DCB0E5BACB403A90CB,SHA256=AFC35288EDCBAFB30AE5F0846D2D5FB183EFB170BAF757E15C706E9CF04BD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118808Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:34.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F915F54DFE6634C09A58CFB98FFA0842,SHA256=48C38C3AB30866CF8BC73FB9DD4E41C198F0D7F2420573725EB678AD31457283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118809Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:35.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E4E5D0EC2C3209D7DDF4BA50C534D2,SHA256=1F62D58F517B55E751CAE4A14529B20CC2441960C9C29217DB2C54F1525D5036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118810Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:36.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0DD824094C240FCEF283233B8E256,SHA256=A77CE200511EA44B31ED2AA8FFD6DBDA05664E2F5F7C5946D803C9922BCA533F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159235Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159234Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159233Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159232Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159231Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159230Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159229Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.928{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159228Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.929{189417FC-2AA0-618E-9401-000000000602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000159227Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:34.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159226Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.006{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D5C0D1D7CBB97AE569B3F16F24B9F3,SHA256=C4B64ECA62B2E967A3B16135DE29E59BCF6F49559F83C3312715FC484E1BF34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118811Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:37.743{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DB01F60F6A9A4CDC9C9CD6A7BAB16B,SHA256=123C5277112884108F0F415565460E5310557B82C116A4D3D66ECFA353D5CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159265Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.943{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E63635B11976F90495DA6CBE78F8C623,SHA256=4EE24718800746C86E66E980963A66AC2D4AEB6959CAAF2A23B86E9FFD592D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159264Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.943{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7259ECFC944B994ADE484AB09FDE40D8,SHA256=EB09559DF8B10D18518ED0D67FEF9B4BC496112996127DAC5BE71DDB39B56B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159263Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.912{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159262Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.912{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159261Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.866{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159260Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.866{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159259Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.834{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159258Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.818{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159257Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159256Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159255Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159254Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159253Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159252Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.802{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159251Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.804{189417FC-2AA1-618E-9701-000000000602}2976C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{189417FC-233E-618E-0C00-000000000602}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000159250Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159249Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159248Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159247Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159246Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.709{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159245Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.631{189417FC-2AA1-618E-9501-000000000602}26404896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159244Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159243Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159242Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159241Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159240Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159239Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159238Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159237Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.428{189417FC-2AA1-618E-9501-000000000602}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159236Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73EC6F471356958B6CFB6B935BDA415,SHA256=18E9B0AF7D806E2FF353016699B44022B885916205A4D7ABA2E7D59607FE8CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118813Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:38.853{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C48C9DB62981F0939432DB77F5628F,SHA256=F8B5D1802A67F5AB33AEDB79C804E0A723FD1801B91237E280CFA9416BDADA3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118812Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:36.696{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000159299Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.912{189417FC-233F-618E-1400-000000000602}11122716C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000159298Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000159297Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001cf40c) 13241300x8000000000000000159296Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d799-0xd7d87fa7) 13241300x8000000000000000159295Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0x399ce7a7) 13241300x8000000000000000159294Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:49:38.740{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7aa-0x9b614fa7) 23542300x8000000000000000159293Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.318{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD155FA6DC265DBC1232E260A226048,SHA256=72A1BF942442840AA8490E3B463BBBD16C8CAC01305ED5C926D5F16B5B656701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159292Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.271{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159291Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.271{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159290Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.256{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159289Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159288Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159287Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.209{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159286Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.162{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159285Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.162{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159284Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.131{189417FC-233F-618E-1600-000000000602}12521496C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159283Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.115{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159282Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.115{189417FC-233F-618E-1600-000000000602}1252NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20210310.180215.536.1.etlMD5=773E294C300AA593C4FDA70F4C5683B7,SHA256=24BC3FA1E6DA1306522A7975649FE84545A5CEC4B1AFEB1CBD0500587AC9A54C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159281Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159280Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AA2-618E-9901-000000000602}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159279Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159278Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159277Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159276Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159275Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159274Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159273Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159272Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159271Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159270Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.099{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159269Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.100{189417FC-2AA2-618E-9801-000000000602}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000159268Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.084{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159267Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.084{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159266Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.006{189417FC-233F-618E-1600-000000000602}1252NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118814Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:39.884{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4230A69E62FA8EFEEBE4DA27936DB9E8,SHA256=1552E18E2244CB07538EF28A2EB317F4F0433B9BD0C60668B20F0262B10D4E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159308Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.443{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58703-false40.125.122.176-443https 354300x8000000000000000159307Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.284{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63249- 354300x8000000000000000159306Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:37.284{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63249-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domain 354300x8000000000000000159305Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.843{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58702-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000159304Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:36.842{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58702-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000159303Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C2616EC873F510D5003F5759B79060,SHA256=4E463FEE1B80D1F0FB181B838B7C107E85D6F48DC5091C7D66F525D4AF6AC810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159302Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E31FB8BE4C2CDF5118630E6B67CDDCB3,SHA256=2AE80A050E690F48EEA9F8C5C6DFD2624E86D578EED7C15BBDEBA4F02D46C46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159301Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=31911BED608547EE7B8DD5BA557FC079,SHA256=BB7C37A4B357803E1FFAEA218488FAF245DCC77EA529C51D58F535A32BE7F96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159300Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.099{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E63635B11976F90495DA6CBE78F8C623,SHA256=4EE24718800746C86E66E980963A66AC2D4AEB6959CAAF2A23B86E9FFD592D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118815Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:40.946{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7DE98C0F3245EB01C2478E77FA5F7E,SHA256=D43F54615C94F1CBEB2CA538CFE2D39E4F2D47442126D922EC5D990E684EBEF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159319Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.724{189417FC-2AA4-618E-9A01-000000000602}46163028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000159318Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.localT1042SetValue2021-11-12 08:49:40.615{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXEHKU\S-1-5-21-2006876236-2289804728-1473726685-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x8000000000000000159317Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.553{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AD30B770F897BBD58933EF93675C71,SHA256=E669AE9D551EC67775A3BE5E9E69F61EC226C789AB56D635165F5B24993A5F5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159316Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159315Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159314Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159313Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159312Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159311Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159310Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.521{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159309Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:40.350{189417FC-2AA4-618E-9A01-000000000602}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000159393Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159392Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159391Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159390Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159389Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159388Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159387Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.881{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159386Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.742{189417FC-2AA5-618E-9C01-000000000602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159385Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795CDB772BA2BB048BA244FCC9487C6,SHA256=30F3A6285EF837FB1B3857DE53F5FE555E98ADDC7AFFF4361ED2F1EA1D779076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159384Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7414DE5E499526DF5DBBEF9CF2AC6FDD,SHA256=886641D535D4C9985A9FEC8FB6140351D15E75553E89EFE5010515F5263BE6FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159383Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:39.168{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000159382Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:38.575{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51719- 10341000x8000000000000000159381Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159380Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159379Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159378Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159377Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159376Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159375Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159374Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159373Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159372Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159371Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159370Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159369Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159368Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159367Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159366Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159365Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159364Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159363Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159362Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159361Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159360Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159359Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159358Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159357Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159356Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159355Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.474{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159354Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159353Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159352Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159351Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159350Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159349Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159348Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159347Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159346Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159345Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159344Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159343Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159342Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159341Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159340Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159339Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159338Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159337Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159336Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159335Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159334Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159333Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159332Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159331Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159330Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.459{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159329Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.412{189417FC-2AA5-618E-9B01-000000000602}4580416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159328Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=481D579569CD96874224826D602B743E,SHA256=B0A09F14176C5993E1A4C41265D68F63B2A9478B9AA61A7C2596C6D272F440BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159327Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159326Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159325Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159324Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159323Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159322Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159321Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.240{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159320Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:41.241{189417FC-2AA5-618E-9B01-000000000602}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159396Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E11811D79F68363198C6DDEC588DDB,SHA256=69D2E4066C62D0EF906A169FFBE647E33B7B2CCE82A3C5224FE49AAB5154BD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159395Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086648135112F21F8A4A096EC1C81D0E,SHA256=1FD67BB07BCE7283DE5A3D4BF773495E044216C411E407A40634649086115170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118816Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:42.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4570E8DA321433E1FCACDDCE4B6C33,SHA256=EF44E188CA8BDF2865A92D6A2EDC3FCB43C967A6CBA63CA334860B262E90A170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159394Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:42.178{189417FC-2AA5-618E-9C01-000000000602}46604948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159405Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B249A2889B01B5C16D337599A3DE13,SHA256=FA9CAA56B27DD74DB8CE6723B0CF0551E7357A1FC3FEB9EDD329ED2E26ED5C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118817Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:43.087{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADABA7B0528E357DFF615E34CDD839A,SHA256=787C5528DAC0D67232D97A60B07F12BEF1D765716AC7F706426DA5CCEED6A24A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159404Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159403Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159402Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159401Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159400Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159399Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159398Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159397Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:43.459{189417FC-2AA7-618E-9D01-000000000602}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000159407Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:44.974{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8127A52D9147F345A026BF75F8BD3967,SHA256=E37B794B35D47E0D5ECFB0BEDE6257B0E973E542D10A737779AE61A9934EB32A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118819Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:42.680{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118818Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:44.134{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D0F5476828794C1BD4E47F3CF600B1,SHA256=961812FDD72402E99AC464ABE79A50028C3F929A99806DA48C54A8A9DA46E3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159406Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:44.459{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=982455D99A25B65F3E0443D8F18B5753,SHA256=FBD6DC13CEB262B0D153F5B00209AB4F8D45772FDEF55018E907FED5F99107FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118820Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:45.149{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2997AA4771240FE9DE9CF381D823DD7,SHA256=49D7C33E02402F99384924C29DA3044715011694B5BB4B316B1C51AFD1EA5211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118821Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:46.228{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A306CBAB23A04D20FAEC4CAC4EE932,SHA256=AA7C76552AECBF5CFCED03D7243F8E095C724C237522F16292E2E413F76AE06C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159419Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.974{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159418Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.974{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159417Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.771{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159416Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159415Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159414Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.756{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159413Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159412Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159411Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159410Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.740{189417FC-2975-618E-6001-000000000602}45084276C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000159409Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.754{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000159408Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:46.006{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E66D1D89638A98A8D4D2DBA4821D03,SHA256=BB30E2DB586B5F73B890DBD1B423551C30173EDC2FB30BD9E6FA0A42C8A56BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118822Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:47.259{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB8BC97454A68805F73FE9272E56959,SHA256=C676BE333751DA525AF1B592FDB97A955F0FB57171F9CF35A74D4CAD975BC939,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159435Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:45.106{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159434Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.740{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29325ED612FA52A4FE5AC08E354049F8,SHA256=9F1B4F02CA6E625D7318A6E3C81B69EDB2A1D0874AD51BC0BD5D3C153DB882F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159433Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FBC6F582E92DA926D76DECC4C4D57D,SHA256=C372299C22EC288E7945BA77A92C94C780931223B2EDA7296B8A642D208A413B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159432Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.037{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159431Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159430Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159429Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159428Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.021{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159427Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159426Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159425Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159424Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159423Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159422Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159421Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159420Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:47.006{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118823Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:48.399{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B918693A2F6331C45D7C7AB4E8879CBF,SHA256=2D68D6C5ADA4FBD640450C24F2855C9C21BCCCB4531A360D1D4B7FFCD78EC252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159436Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:48.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93125EAEDC672E156D757CEE52B5CE,SHA256=10B0AC856BE41BED9966740487E11D8F3420F94AF38F34244C1DD5AB76974975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118824Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:49.509{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776BCC3C0898890BBCF2C707B13E171,SHA256=0DE983436C5D95AC5DD27566112BD3B112CD1187798F7D0CDC4EF55AECBACC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159437Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:49.099{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB65E990CEB207D3095C76E9FFFD015,SHA256=3350EE47B2CF1D1DD7A0A506FE583FC771081FFC8FCE2739514B9BEA6C07CC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118826Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:50.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12193D3333264A32600D6AA0F00996EF,SHA256=47C76F172A21B25A89C2CEA5C4D4EB4CF453E70DFCE48222A8CD241F130761AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159438Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:50.146{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80608E99DDE1077E5926F76E8FC90A81,SHA256=FAB053FDCCB8A4F59D345BC24AAC8DEE3591C3F46FBB8E7478C721E1F6007634,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118825Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:48.633{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118827Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:51.587{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55DDA50163CF67BAA8C0D3C5DFC4D9B,SHA256=0C2B3D2D3A1EDB604C1828AC946921CBB1C8F51F0ABC2D2D6354C89615E00CCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159472Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159471Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159470Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159469Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159468Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159467Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159466Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159465Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159464Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159463Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.224{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159462Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.209{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159461Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.209{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159460Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159459Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159458Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.193{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159457Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.177{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159456Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29F9657A34CE016E399D0B5312317E3,SHA256=DDCCE3D7416C0DD0E081D8C2F6DA23FF892279E5EF3E18947242326198A7D5A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159455Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159454Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159453Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159452Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159451Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159450Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2AAF-618E-A001-000000000602}18001160C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+cde5|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159449Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.140{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862MediumMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159448Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.131{189417FC-2AAF-618E-A001-000000000602}18001160C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159447Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.099{189417FC-233F-618E-1000-000000000602}4081120C:\Windows\System32\svchost.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159446Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.099{189417FC-233F-618E-1000-000000000602}4081120C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159445Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159444Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159443Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159442Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159441Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159440Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.084{189417FC-2975-618E-6001-000000000602}45084152C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\windows.storage.dll+11a32|C:\Windows\System32\windows.storage.dll+11729|C:\Windows\System32\windows.storage.dll+115ff|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000159439Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:51.078{189417FC-2AAF-618E-A001-000000000602}1800C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000118828Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:52.618{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53A0F23B962CEEBEAB5AD147457778E,SHA256=2B5F8BCCFA795617245056D4DD08AADA260A1B2C9FDDF5C9F7FE8D2DC6C8BC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159474Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2E68D6517F56AF224DFF5C38EC7C43,SHA256=A61B4124445BE910DA3EA807BF8B5F7BF3C3E260078E74C5E145DA75F513D7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159473Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.162{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2176ABBC6CF09D99FF91CC9927B5A503,SHA256=4349DBBB821267ED53CF0367C038E712FDF70AE5461C80D1FAE28162975891CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118830Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.950{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-030MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118829Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.651{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D738AB3652938A6D32B82BA89C748,SHA256=EA2A60DDE904E7AB4B263DD249A0431F8B269335F805F6D22381D1DECFEB842F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159554Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+25f52|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159553Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159552Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159551Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159550Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159549Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159548Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159547Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159546Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159545Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+f4e6e8|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3 10341000x8000000000000000159544Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159543Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159542Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159541Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.974{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159540Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159539Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159538Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159537Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159536Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159535Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159534Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.943{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159533Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159532Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adafa3|C:\Program Files\Mozilla Firefox\xul.dll+30b31c|C:\Program Files\Mozilla Firefox\xul.dll+f2e795|C:\Program Files\Mozilla Firefox\xul.dll+b4df24|C:\Program Files\Mozilla Firefox\xul.dll+30abed|C:\Program Files\Mozilla Firefox\xul.dll+391b5b|C:\Program Files\Mozilla Firefox\xul.dll+39135d|C:\Program Files\Mozilla Firefox\xul.dll+b37a1a|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50 10341000x8000000000000000159531Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adafa3|C:\Program Files\Mozilla Firefox\xul.dll+af413f|C:\Program Files\Mozilla Firefox\xul.dll+af3dd4|C:\Program Files\Mozilla Firefox\xul.dll+f2e062|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65|C:\Program Files\Mozilla Firefox\xul.dll+e876f4|C:\Program Files\Mozilla Firefox\xul.dll+e87199|C:\Program Files\Mozilla Firefox\xul.dll+e87dcf 10341000x8000000000000000159530Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+ae8612|C:\Program Files\Mozilla Firefox\xul.dll+ae1700|C:\Program Files\Mozilla Firefox\xul.dll+ae2546|C:\Program Files\Mozilla Firefox\xul.dll+affd24|C:\Program Files\Mozilla Firefox\xul.dll+a9a009|C:\Program Files\Mozilla Firefox\xul.dll+ae792e|C:\Program Files\Mozilla Firefox\xul.dll+199fa69|C:\Program Files\Mozilla Firefox\xul.dll+18b0d93|C:\Program Files\Mozilla Firefox\xul.dll+18af0cf|C:\Program Files\Mozilla Firefox\xul.dll+37d84d|C:\Program Files\Mozilla Firefox\xul.dll+f35dd6|C:\Program Files\Mozilla Firefox\xul.dll+f356da|C:\Program Files\Mozilla Firefox\xul.dll+f3586e|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88 10341000x8000000000000000159529Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.927{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159528Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159527Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159526Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.2.91307503C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159525Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159524Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.2.91307503C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159523Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.1.189385845C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159522Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159521Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.896{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159520Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.881{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159519Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b 10341000x8000000000000000159518Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f 10341000x8000000000000000159517Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd 10341000x8000000000000000159516Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6 10341000x8000000000000000159515Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b|C:\Program Files\Mozilla Firefox\xul.dll+165513f 10341000x8000000000000000159514Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6|C:\Program Files\Mozilla Firefox\xul.dll+16e9dcb|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+165513f|C:\Program Files\Mozilla Firefox\xul.dll+1ad9cf6|C:\Program Files\Mozilla Firefox\xul.dll+167f79b 10341000x8000000000000000159513Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159512Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159511Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159510Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159509Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159508Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.849{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159507Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.834{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159506Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.843{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.1.1893858451\957623576" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 511 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 2124 124f2b2fd38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159505Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.818{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.1.189385845C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159504Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 10341000x8000000000000000159503Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 10341000x8000000000000000159502Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.802{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+2730b1|C:\Program Files\Mozilla Firefox\xul.dll+37551e|C:\Program Files\Mozilla Firefox\xul.dll+c53ca6 23542300x8000000000000000159501Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.568{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159500Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.568{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159499Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.474{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\26970MD5=4E49208E89E56A02B78B8457F2740AFC,SHA256=07319E4F2D000B8C2656390E17EF1F5F9628C9A3C50B5A6B7836815547FFE798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159498Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.459{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159497Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159496Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159495Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159494Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.381{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.0.203879400C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159493Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159492Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:53.381{189417FC-2AB1-618E-A201-000000000602}96\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159491Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159490Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.381{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159489Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159488Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159487Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159486Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159485Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159484Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159483Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.334{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+16e36c4|C:\Program Files\Mozilla Firefox\xul.dll+939189|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159482Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.335{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.0.2038794004\1457074761" -parentBuildID 20211103134640 -prefsHandle 1320 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 245782 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 1416 124ec860d38 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862MediumMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159481Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.318{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.0.203879400C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159480Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:53.318{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159479Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.224{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159478Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.224{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159477Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4911F3781A4E817448991A8E2A52113,SHA256=7F2E3D4C75236EF7319F9CE2044F774F2127CDB1364695FD0E4E83C9ECB413B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159476Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.131{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159475Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:50.215{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118832Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:54.964{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118831Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:54.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC026205BE48ED4E3A93F7BE9FB6D447,SHA256=4C0CFB73DAC9A55ECFAFAEE6D899DE09ED7AAE51D7B0E7BF41343EACBA7B48C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.996{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.7.19055648\1823273474" -childID 4 -isForBrowser -prefsHandle 4328 -prefMapHandle 4104 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4348 124f39d9d38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.983{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.983{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.7.1905564C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.967{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.945{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.6.124859652C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+19457f3|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.6.124859652C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.945{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.5.25488921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.930{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.930{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.930{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326050B1F6D1F98653E62ACF5F2FED63,SHA256=5BD6D7CD8ECCC423C374D8F2D990DDB7B26D13BA187837A220ABB2C2BE693829,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.611{189417FC-2AAF-618E-A101-000000000602}4352cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.609{189417FC-2AAF-618E-A101-000000000602}4352cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.596{189417FC-2AAF-618E-A101-000000000602}4352prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.582{189417FC-2AAF-618E-A101-000000000602}4352prod.ingestion-edge.prod.dataops.mozgcp.net035.227.207.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.431{189417FC-2AAF-618E-A101-000000000602}4352a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a1a1;2a02:26f0:1700:f::1737:a1a4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.426{189417FC-2AAF-618E-A101-000000000602}4352a1887.dscq.akamai.net0184.24.77.48;184.24.77.54;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.425{189417FC-2AAF-618E-A101-000000000602}4352r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:184.24.77.54;::ffff:184.24.77.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.205{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net02600:9000:225e:3000:a:da5e:7900:93a1;2600:9000:225e:f600:a:da5e:7900:93a1;2600:9000:225e:e600:a:da5e:7900:93a1;2600:9000:225e:5200:a:da5e:7900:93a1;2600:9000:225e:f200:a:da5e:7900:93a1;2600:9000:225e:200:a:da5e:7900:93a1;2600:9000:225e:8e00:a:da5e:7900:93a1;2600:9000:225e:6400:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.204{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.17;18.66.139.125;18.66.139.97;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.181{189417FC-2AAF-618E-A101-000000000602}4352example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.181{189417FC-2AAF-618E-A101-000000000602}4352example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.173{189417FC-2AAF-618E-A101-000000000602}4352prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.167{189417FC-2AAF-618E-A101-000000000602}4352prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.159{189417FC-2AAF-618E-A101-000000000602}4352detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159744Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159743Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159742Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159741Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159740Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159739Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159738Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159737Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159736Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159735Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159734Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159733Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159732Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.898{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159731Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159730Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159729Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159728Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159727Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159726Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159725Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.895{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.5.254889219\1412856095" -childID 3 -isForBrowser -prefsHandle 4052 -prefMapHandle 4104 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4160 124f8accf38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000159724Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.5.25488921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159723Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159722Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.883{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159721Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9DA25B1BAFBCF28600888EB9ED98BEDF,SHA256=8FCE6C6BEB7692DFA73C7BF8B8EC166B1C87497DD3724C0AC819B9F429EC2396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159720Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9DA25B1BAFBCF28600888EB9ED98BEDF,SHA256=8FCE6C6BEB7692DFA73C7BF8B8EC166B1C87497DD3724C0AC819B9F429EC2396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159719Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=C79B11468454491C63E95578874803B9,SHA256=5409909CA518DBFCD76C96C08AFAFFD6F5AF7AB62B1329EB4A78A1ACA8935104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159718Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.814{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=55E8609F7694397EFBC207072F077D12,SHA256=3B4832AD62D0B1DC33297835ED0C03A52981BBB8E3477F3D42CE1288B9D4B321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159717Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=982D51BD048A615D4998C76F37FCC02B,SHA256=6FB1C581AC221FB4262AADAE905CDCDAA09EA70B2306A3B26F23C935F16FBCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159716Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E46DD924F55462D60EDF3E14EF77EA04,SHA256=DA163EA2CE4A8F41309CCE1EFE671E4DD23EBA8D5FF1CE9D21259E30C4136B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159715Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=5E6008E5566DA613B699019FAEBDC82A,SHA256=47BA5D7A431055ADDF940DD310C0AD498D8FA81E15DC931521ECD355E5A92503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159714Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.799{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7F8F9A51990B068CDA6670DB6B6619E0,SHA256=50C187719B87DA90C8634CECAABE3CD174193A5605E7F010ABB24A11EECEC54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159713Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E1C6266526E274E68108A15C564D5AD5,SHA256=CEFD6005AD7EAA66A682C711E7E9C81F63C3D5C452D7769BFEA9B9349D1AB62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159712Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=EFE9F1FAA3E35B602F979040B611A669,SHA256=1B2942D7761FCA547A1327778A881958DFE476883694CA7635D20C8A508F03AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159711Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9D92810283136C762559D54CA0F46A65,SHA256=EDECA012D0FA17DC306FF377802F0C6E52906140DA82BB319BFC1A04948D9F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159710Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=982D51BD048A615D4998C76F37FCC02B,SHA256=6FB1C581AC221FB4262AADAE905CDCDAA09EA70B2306A3B26F23C935F16FBCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159709Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=64FAF0D25747A0227006076985EEAAA8,SHA256=73FCC48560D71DF86F2B4F3030F5291F3FF223C0700A377625B70436788528EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159708Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=CC69B09AEFD85FE76F387FF22A35A858,SHA256=08F0EAE6241620FBCBC6B3C1D46EE6C99CD0C3C09692550C537657A838A0F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159707Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7B85ADA1A483F2BC175A04F9E358EE86,SHA256=3B438A8FF277FDE2465D1FC0D980FA1A71E64B0602421F604B42842C7C1615CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159706Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.783{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=0AEC8C305AB24C81A859CEB9B3DB2E3C,SHA256=C57244A09C3C767329FFB1BF6B53CD45B5B7663AFCBE267C4D8C95E2824EA8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159705Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=13FFDFC649AC1124FDAC5B76254EE269,SHA256=EBEDFD88628352853F7703E6326CED0B319D4CA64DAE1ED1C388FD64A4C7CE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159704Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=A1F511B00974C953E8DD74025AC40B99,SHA256=9AA8A424134EAFA4940BB9B3FF600F26D26C7DC262FE554CA6A8C65DCF682FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159703Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=07E1019EA296978D6C31C90A90DBB825,SHA256=C4703FBFF5FC562A42619CA901AECC6E7247D39DEF32A10F3BC258E29C53DDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159702Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=506157684F94D1D751AF28E86919550B,SHA256=D1C9685D21EF79A36DDF667FF0118AECDC2C0502586199D725A91CC125EE333E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159701Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=E10F4A7BD8005B28174BD41110B53FE1,SHA256=44E932A2E00BC4857A6F10A1F85F3CE41A719D74F006547246AB2AC871A2FD23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159700Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159699Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159698Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.767{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=7E8BD09BAA9694499EB7A41794B6076B,SHA256=8D0B022A298FAC5AB20BC508FDB9425D3D5D018063B31EB58AE8468CE9444252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159697Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=C55D41BD354F51BA011C301BD932C6B6,SHA256=5BE22265654CE82F48038E88D412D5213DB2EF31228DBA7F53A623B12420895E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159696Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=FE74F5C38F433736EE7015868CFB159E,SHA256=3F7B3252EF3B6217AD78ADB7007738601CE1EEBCA69F55990B64BF254BD4FC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159695Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159694Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.746{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159693Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159692Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159691Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.714{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159690Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.630{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159689Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.599{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f2df79|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e88cbb|C:\Program Files\Mozilla Firefox\xul.dll+192a801 10341000x8000000000000000159688Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.599{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 23542300x8000000000000000159687Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.567{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EFDE8B7B4A495E2179D08ADB5F4E9C,SHA256=9FF1ECAE8B01BC5315D1023E48DDD7672A50B237907E5C07AF35BF659A39167B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159686Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159685Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159684Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159683Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159682Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159681Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159680Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159679Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159678Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159677Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14FE3D1833325B16488F35C3A59EF8C,SHA256=DE984C5DC385E3E1C4702115819C1464EEF0CCE3DB497CE2EE530DD30C19E404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159676Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159675Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159674Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159673Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.530{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159672Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159671Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159670Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159669Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159668Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159667Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159666Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.515{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159665Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159664Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159663Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159662Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159661Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159660Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159659Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159658Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+9c00a9|C:\Program Files\Mozilla Firefox\xul.dll+90f8a2|C:\Program Files\Mozilla Firefox\xul.dll+7dffaa|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159657Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159656Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159655Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159654Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.499{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b41436|C:\Program Files\Mozilla Firefox\xul.dll+39c5a0|C:\Program Files\Mozilla Firefox\xul.dll+39c1b9|C:\Program Files\Mozilla Firefox\xul.dll+39c068|C:\Program Files\Mozilla Firefox\xul.dll+b57680|C:\Program Files\Mozilla Firefox\xul.dll+b56ffd|C:\Program Files\Mozilla Firefox\xul.dll+b500b4|C:\Program Files\Mozilla Firefox\xul.dll+b554b8|C:\Program Files\Mozilla Firefox\xul.dll+b55c4b|C:\Program Files\Mozilla Firefox\xul.dll+38eb41|C:\Program Files\Mozilla Firefox\xul.dll+b56a29|C:\Program Files\Mozilla Firefox\xul.dll+b599e2|C:\Program Files\Mozilla Firefox\xul.dll+b56446|C:\Program Files\Mozilla Firefox\xul.dll+38e307|C:\Program Files\Mozilla Firefox\xul.dll+b358ef|C:\Program Files\Mozilla Firefox\xul.dll+1e9b50a 10341000x8000000000000000159653Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159652Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159651Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159650Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159649Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159648Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159647Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.483{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159646Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159645Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159644Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F41B72B8E3636FFE0720B0A5D519A66,SHA256=7329A8CD5E8C638A567223C5CFDB18FF3C957A1CE138FFDF2DF4BF0BCD617FF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159643Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159642Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159641Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877420433E1A2312FE4AAD097D737B07,SHA256=F4D7A0EA193B7DC27FBDBDCE170F8461C742E96A052175F33512A45E022A7E31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159640Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159639Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159638Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.430{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159637Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.415{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159636Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159635Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159634Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159633Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159632Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.399{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159631Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159630Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159629Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA6A62E3CAC7806A491967FC21EA97D,SHA256=17F39635426F9C5F310DA7ABF4D838AC4521D5C54FCD34B6608502CC9C7CC485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159628Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.383{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e88cbb|C:\Program Files\Mozilla Firefox\xul.dll+192a801 10341000x8000000000000000159627Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159626Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159625Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.4.138860035C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159624Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159623Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.4.138860035C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159622Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.3.56488732C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159621Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159620Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:54.368{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159619Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.346{189417FC-2AAF-618E-A101-000000000602}43521608C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+381b0|C:\Program Files\Mozilla Firefox\firefox.exe+380a6|C:\Program Files\Mozilla Firefox\firefox.exe+49680|C:\Program Files\Mozilla Firefox\firefox.exe+4937c|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159618Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5 10341000x8000000000000000159617Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159616Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159615Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159614Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159613Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159612Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159611Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159610Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159609Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159608Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159607Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159606Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159605Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159604Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e 10341000x8000000000000000159603Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3 10341000x8000000000000000159602Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+db10bf|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159601Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+db10bf|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601 10341000x8000000000000000159600Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5|UNKNOWN(000001A4E9C63EBF) 10341000x8000000000000000159599Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+db065c|C:\Program Files\Mozilla Firefox\xul.dll+db2b6d|C:\Program Files\Mozilla Firefox\xul.dll+bb9dc0|C:\Program Files\Mozilla Firefox\xul.dll+bb7235|C:\Program Files\Mozilla Firefox\xul.dll+2908cd|C:\Program Files\Mozilla Firefox\xul.dll+290461|C:\Program Files\Mozilla Firefox\xul.dll+efdd3f|C:\Program Files\Mozilla Firefox\xul.dll+16f8d74|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+bb95d6|C:\Program Files\Mozilla Firefox\xul.dll+26bb61|C:\Program Files\Mozilla Firefox\xul.dll+239d47|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+17c9cb1|C:\Program Files\Mozilla Firefox\xul.dll+19d740e|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+1aecae3|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5 10341000x8000000000000000159598Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159597Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159596Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159595Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159594Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159593Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159592Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.315{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159591Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.330{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.3.564887321\206879888" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3472 -prefsLen 6051 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 3484 124f5c36338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159590Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.315{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159589Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:54.315{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.3.56488732C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159588Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.299{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+f59b5c|C:\Program Files\Mozilla Firefox\xul.dll+f4b08d|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0 10341000x8000000000000000159587Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.299{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 23542300x8000000000000000159586Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159585Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159584Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.268{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+add828|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fb37d|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159583Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159582Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159581Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+94b219|C:\Program Files\Mozilla Firefox\xul.dll+94b13a|C:\Program Files\Mozilla Firefox\xul.dll+94ad49|C:\Program Files\Mozilla Firefox\xul.dll+946adf|C:\Program Files\Mozilla Firefox\xul.dll+946dec|C:\Program Files\Mozilla Firefox\xul.dll+aa37ba|C:\Program Files\Mozilla Firefox\xul.dll+2d51a9|C:\Program Files\Mozilla Firefox\xul.dll+2d50b4|C:\Program Files\Mozilla Firefox\xul.dll+2d4eb5|C:\Program Files\Mozilla Firefox\xul.dll+2d4d64|C:\Program Files\Mozilla Firefox\xul.dll+acaea3|C:\Program Files\Mozilla Firefox\xul.dll+acc001|C:\Program Files\Mozilla Firefox\xul.dll+acab9d|C:\Program Files\Mozilla Firefox\xul.dll+ac9e42|C:\Program Files\Mozilla Firefox\xul.dll+af2741|C:\Program Files\Mozilla Firefox\xul.dll+19a091d|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0 10341000x8000000000000000159580Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.231{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+aa63b1|C:\Program Files\Mozilla Firefox\xul.dll+adac73|C:\Program Files\Mozilla Firefox\xul.dll+adae27|C:\Program Files\Mozilla Firefox\xul.dll+aa619f|C:\Program Files\Mozilla Firefox\xul.dll+b40670|C:\Program Files\Mozilla Firefox\xul.dll+b3fcf6|C:\Program Files\Mozilla Firefox\xul.dll+b367fc|C:\Program Files\Mozilla Firefox\xul.dll+b41020|C:\Program Files\Mozilla Firefox\xul.dll+ef2c08|C:\Program Files\Mozilla Firefox\xul.dll+19a08e9|C:\Program Files\Mozilla Firefox\xul.dll+af8c88|C:\Program Files\Mozilla Firefox\xul.dll+f46d7d|C:\Program Files\Mozilla Firefox\xul.dll+eb3bcd|C:\Program Files\Mozilla Firefox\xul.dll+e938c0|C:\Program Files\Mozilla Firefox\xul.dll+e23812|C:\Program Files\Mozilla Firefox\xul.dll+e233ce|C:\Program Files\Mozilla Firefox\xul.dll+18a0b3a|C:\Program Files\Mozilla Firefox\xul.dll+1a3edf3|C:\Program Files\Mozilla Firefox\xul.dll+e87cf0|C:\Program Files\Mozilla Firefox\xul.dll+e87b65 10341000x8000000000000000159579Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159578Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159577Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159576Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159575Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159574Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159573Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.184{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159572Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.168{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159571Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159570Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159569Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159568Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+19b693|C:\Program Files\Mozilla Firefox\xul.dll+81fc25|C:\Program Files\Mozilla Firefox\xul.dll+81f801|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000159567Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.146{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159566Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439ee|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159565Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e439c7|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159564Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.115{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A201-000000000602}96C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+e4399c|C:\Program Files\Mozilla Firefox\xul.dll+b22a12|C:\Program Files\Mozilla Firefox\xul.dll+287985|C:\Program Files\Mozilla Firefox\xul.dll+28775a|C:\Program Files\Mozilla Firefox\xul.dll+e5cd45|C:\Program Files\Mozilla Firefox\xul.dll+183bc5a|C:\Program Files\Mozilla Firefox\xul.dll+1a48ad8|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a48d1f|C:\Program Files\Mozilla Firefox\xul.dll+1a4af6f|C:\Program Files\Mozilla Firefox\xul.dll+16f7d69|C:\Program Files\Mozilla Firefox\xul.dll+e903d5|C:\Program Files\Mozilla Firefox\xul.dll+1a479e3|C:\Program Files\Mozilla Firefox\xul.dll+16f86ad|C:\Program Files\Mozilla Firefox\xul.dll+16f72e5|C:\Program Files\Mozilla Firefox\xul.dll+10403c|C:\Program Files\Mozilla Firefox\xul.dll+122cef|C:\Program Files\Mozilla Firefox\xul.dll+1102bee|C:\Program Files\Mozilla Firefox\xul.dll+83b2f8|C:\Program Files\Mozilla Firefox\xul.dll+83ba46|C:\Program Files\Mozilla Firefox\xul.dll+22f560 10341000x8000000000000000159563Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159562Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159561Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.099{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159560Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.084{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159559Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.084{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159558Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+16b8275|UNKNOWN(000001A4E9C61E84) 10341000x8000000000000000159557Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+16b8275|UNKNOWN(000001A4E9C61E84) 10341000x8000000000000000159556Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+11c1bdf|C:\Program Files\Mozilla Firefox\xul.dll+1aeccb1|C:\Program Files\Mozilla Firefox\xul.dll+1cb9fd5|UNKNOWN(000001A4E9C63EBF) 10341000x8000000000000000159555Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.068{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+bf56f4|C:\Program Files\Mozilla Firefox\xul.dll+1685601|C:\Program Files\Mozilla Firefox\xul.dll+165302a|C:\Program Files\Mozilla Firefox\xul.dll+1ae3fa6|C:\Program Files\Mozilla Firefox\xul.dll+11c1bdf|C:\Program Files\Mozilla Firefox\xul.dll+70eb4|C:\Program Files\Mozilla Firefox\xul.dll+88312|C:\Program Files\Mozilla Firefox\xul.dll+88215|C:\Program Files\Mozilla Firefox\xul.dll+a0bb9c|C:\Program Files\Mozilla Firefox\xul.dll+84d5b|C:\Program Files\Mozilla Firefox\xul.dll+b82fbf|C:\Program Files\Mozilla Firefox\xul.dll+167f2fd|C:\Program Files\Mozilla Firefox\xul.dll+120bc79|C:\Program Files\Mozilla Firefox\xul.dll+1ae57b0|C:\Program Files\Mozilla Firefox\xul.dll+170884e|C:\Program Files\Mozilla Firefox\xul.dll+1683511|C:\Program Files\Mozilla Firefox\xul.dll+196f5a8 23542300x8000000000000000118834Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:55.713{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEEB7DC4B9660383A5C5EC7B895B2B3,SHA256=522D219FED2221B4309AD857A6F3CE0CD484245770DFE49F9B72888326AA2075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.973{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=8B0B930BD10040516CECF865CBF807F0,SHA256=1F0B43926BEEC28F5BC2A9B9A3E19F8EE28329768934AC76EFD19B1FF7469A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.973{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65177- 354300x8000000000000000159971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53868- 354300x8000000000000000159970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.981{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49813- 354300x8000000000000000159969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57558- 354300x8000000000000000159968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64854- 354300x8000000000000000159967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51718- 354300x8000000000000000159966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57209- 354300x8000000000000000159965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50971- 354300x8000000000000000159964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52593- 354300x8000000000000000159963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56060- 354300x8000000000000000159962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.971{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57795- 354300x8000000000000000159961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.970{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50999- 354300x8000000000000000159960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.970{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63251- 354300x8000000000000000159959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.969{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53726- 354300x8000000000000000159958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.968{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50374- 354300x8000000000000000159957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.959{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54602- 354300x8000000000000000159956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.958{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52652- 354300x8000000000000000159955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.958{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51110- 354300x8000000000000000159954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.842{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58724-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 23542300x8000000000000000159953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.957{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=664710C1B91D04A31D4AD6123807D44F,SHA256=6220FFF1EC2676AA2ADBF503DEC5EFF7FE3660EBBE296629AB9E31233706C05F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.998{189417FC-2AAF-618E-A101-000000000602}4352star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.995{189417FC-2AAF-618E-A101-000000000602}4352e11847.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.994{189417FC-2AAF-618E-A101-000000000602}4352e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352e11847.a.akamaiedge.net0104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.993{189417FC-2AAF-618E-A101-000000000602}4352www.ebay.de0type: 5 ipv4.slot11847.ebay.com.edgekey.net;type: 5 e11847.a.akamaiedge.net;::ffff:104.75.89.144;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.992{189417FC-2AAF-618E-A101-000000000602}4352www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.991{189417FC-2AAF-618E-A101-000000000602}4352dualstack.reddit.map.fastly.net02a04:4e42:62::396;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.990{189417FC-2AAF-618E-A101-000000000602}4352dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352dualstack.reddit.map.fastly.net0199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.989{189417FC-2AAF-618E-A101-000000000602}4352www.reddit.com0type: 5 dualstack.reddit.map.fastly.net;::ffff:199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.988{189417FC-2AAF-618E-A101-000000000602}4352www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.988{189417FC-2AAF-618E-A101-000000000602}4352www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352youtube-ui.l.google.com02a00:1450:4001:810::200e;2a00:1450:4001:811::200e;2a00:1450:4001:812::200e;2a00:1450:4001:80f::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.986{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.980{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com0192.155.88.129;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.957{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000159932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-2AAF-618E-A101-000000000602}4352www.codegrepper.com0::ffff:192.155.88.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.979{189417FC-2AAF-618E-A101-000000000602}4352github.com0140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.978{189417FC-2AAF-618E-A101-000000000602}4352youtube-ui.l.google.com0142.250.184.238;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.186.142;172.217.18.110;142.250.186.174;142.250.184.206;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.238;142.250.181.238;172.217.16.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.977{189417FC-2AAF-618E-A101-000000000602}4352www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:172.217.16.142;::ffff:142.250.184.238;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.186.142;::ffff:172.217.18.110;::ffff:142.250.186.174;::ffff:142.250.184.206;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.238;::ffff:142.250.181.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000159928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.976{189417FC-2AAF-618E-A101-000000000602}4352github.com0::ffff:140.82.121.3;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.926{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=804E1F68C038B57109DFB9ED9BD6735E,SHA256=A63BA4635A311071A50C85343BF670972D7A48203E77353DC7A7B02EAA29B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.926{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3841DEB0562A354D8EA8E0ECE1AC5C40,SHA256=62F6D0C2431DC3EDA3C8017B80AF97CDE32CA9D211D268566B1642786D665C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.887{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.879{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.730{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58717-false52.41.42.148ec2-52-41-42-148.us-west-2.compute.amazonaws.com443https 354300x8000000000000000159922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.703{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58723-false184.24.77.54a184-24-77-54.deploy.static.akamaitechnologies.com80http 354300x8000000000000000159921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.689{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58722-false142.250.185.99fra16s49-in-f3.1e100.net80http 354300x8000000000000000159920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.686{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57346- 354300x8000000000000000159919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.682{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65032- 354300x8000000000000000159918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.671{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58720-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000159917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.671{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58721-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000159916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.669{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50764- 354300x8000000000000000159915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.647{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58719-false142.250.184.234fra24s12-in-f10.1e100.net443https 354300x8000000000000000159914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.645{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50970- 354300x8000000000000000159913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.644{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57871- 354300x8000000000000000159912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.642{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56287- 354300x8000000000000000159911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.600{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58718-false93.184.220.29-80http 354300x8000000000000000159910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.600{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64230- 354300x8000000000000000159909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.574{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58716-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000159908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.574{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57788- 354300x8000000000000000159907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.573{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56315- 354300x8000000000000000159906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.573{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52542- 354300x8000000000000000159905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.567{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53192- 354300x8000000000000000159904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.473{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58715-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000159903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.418{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58714-false184.24.77.54a184-24-77-54.deploy.static.akamaitechnologies.com80http 354300x8000000000000000159902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.417{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63427- 354300x8000000000000000159901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.395{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58713-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 354300x8000000000000000159900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.395{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51674- 354300x8000000000000000159899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.394{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52308- 354300x8000000000000000159898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.392{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64198- 354300x8000000000000000159897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.337{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58712-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000159896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65372- 354300x8000000000000000159895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55445- 23542300x8000000000000000159894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.445{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\016e7da7-8f27-4eae-b863-7ef912951591MD5=8B00C7ECACEAEB3C4182DF202520C714,SHA256=7AEA2E1E36D25DF9241B36D071C883F2DA652F0EF540B077D58209D9C761C0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.329{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B459106E89304C4C428AC4C16EF5FC,SHA256=1A1273ABF4CF31DF98B914EC1F1C9D6E92CDF1982FC8176BDC0A83C3E935722E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118833Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:53.743{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000159892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.229{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\c3f88ece-09a5-4c9d-bd2f-e5eea6b06a39MD5=91E43F6DD9B60C3B1FB2EDE7F7AD872A,SHA256=6E307B583F7C0BFEEB3667421EC90C4FD11D1704766AA55F8A10F3C70E18C6D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000159891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.195{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49641- 354300x8000000000000000159890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.173{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58710-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000159889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.171{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57028- 354300x8000000000000000159888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.165{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58709-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000159887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.158{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51278- 354300x8000000000000000159886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.148{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53925- 354300x8000000000000000159885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.187{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-58708-false127.0.0.1-58707- 354300x8000000000000000159884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:52.187{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-58708-false127.0.0.1-58707- 23542300x8000000000000000159883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.182{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.167{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.165{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.164{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.145{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.145{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.129{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-4C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8E01A82B5A097EF17158DD903207AD,SHA256=906D2A0CA6AF8667B783D1739029B44303E69C2FEA2B3AA1ED2971788E3EBC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.129{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.10.145043385C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.10.145043385C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.9.98139869C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.114{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.098{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000159834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}43524552C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f3ad|C:\Program Files\Mozilla Firefox\firefox.exe+2e5b5|C:\Program Files\Mozilla Firefox\xul.dll+1f40fea|C:\Program Files\Mozilla Firefox\xul.dll+93930a|C:\Program Files\Mozilla Firefox\xul.dll+937515|C:\Program Files\Mozilla Firefox\xul.dll+93dd7e|C:\Program Files\Mozilla Firefox\xul.dll+7e0ef1|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000159833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.088{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4352.9.981398691\356027077" -childID 5 -isForBrowser -prefsHandle 4476 -prefMapHandle 4372 -prefsLen 6773 -prefMapSize 245782 -jsInit 1084 278680 -parentBuildID 20211103134640 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4352 "\\.\pipe\gecko-crash-server-pipe.4352" 4460 124f8ace538 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862LowMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000159832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.083{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+2601a|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.067{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.9.98139869C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.067{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.067{189417FC-233F-618E-1100-000000000602}5081572C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.065{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.065{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+947717|C:\Program Files\Mozilla Firefox\xul.dll+994ec9|C:\Program Files\Mozilla Firefox\xul.dll+db86f8|C:\Program Files\Mozilla Firefox\xul.dll+195ab5b|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+192a2a9|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000159825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000159824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.045{189417FC-2AAF-618E-A101-000000000602}4352\cubeb-pipe-4352-3C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000159823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\pending_pings\5a816887-3524-4764-9fca-6ed097e3b991MD5=2742DE5460D85F7B9BB015583B86ADA7,SHA256=872CBC3C28236A2297E5090C2666DA5C1E67CFCC88D9DE0E313DBC2539728147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000159822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000159820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AB1-618E-A201-000000000602}96\chrome.4352.8.209130542C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+1b443c|C:\Program Files\Mozilla Firefox\xul.dll+94a036|C:\Program Files\Mozilla Firefox\xul.dll+94490f|C:\Program Files\Mozilla Firefox\xul.dll+1946e91|C:\Program Files\Mozilla Firefox\xul.dll+1945587|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000159818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.8.209130542C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000159817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\chrome.4352.7.1905564C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}43524700C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13032b|C:\Program Files\Mozilla Firefox\xul.dll+1192e1d|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.030{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E131A79E46FAC8FE7E0B4A341DEE89,SHA256=9BF3C0531414AF79BD6E27EE35745A0521D6C8055A8E11D173757EC0BA38CA53,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000159814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-ConnectPipe2021-11-12 08:49:55.030{189417FC-2AAF-618E-A101-000000000602}4352\gecko-crash-server-pipe.4352C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000159813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}4352788C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+93fe81|C:\Program Files\Mozilla Firefox\xul.dll+9a7cee|C:\Program Files\Mozilla Firefox\xul.dll+cbf41|C:\Program Files\Mozilla Firefox\xul.dll+194eb92|C:\Program Files\Mozilla Firefox\xul.dll+16c7915|C:\Program Files\Mozilla Firefox\xul.dll+15fb6dd|C:\Program Files\Mozilla Firefox\xul.dll+25f52|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+7e3aa7|C:\Program Files\Mozilla Firefox\nss3.dll+7656d|C:\Program Files\Mozilla Firefox\nss3.dll+8e851|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f090|C:\Program Files\Mozilla Firefox\xul.dll+dc590e|C:\Program Files\Mozilla Firefox\xul.dll+dbf8c9|C:\Program Files\Mozilla Firefox\xul.dll+db1420|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+986e18|C:\Program Files\Mozilla Firefox\xul.dll+986b14|C:\Program Files\Mozilla Firefox\xul.dll+a0e2ee|C:\Program Files\Mozilla Firefox\xul.dll+db13d0|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8 10341000x8000000000000000159810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+993fcd|C:\Program Files\Mozilla Firefox\xul.dll+987fda|C:\Program Files\Mozilla Firefox\xul.dll+987e34|C:\Program Files\Mozilla Firefox\xul.dll+81e96e|C:\Program Files\Mozilla Firefox\xul.dll+db112e|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84 10341000x8000000000000000159797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+db10ca|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000159796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+db1041|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+9263d4|C:\Program Files\Mozilla Firefox\xul.dll+bf1e5|C:\Program Files\Mozilla Firefox\xul.dll+db0d18|C:\Program Files\Mozilla Firefox\xul.dll+34fe3b4|C:\Program Files\Mozilla Firefox\xul.dll+34fe320|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc355|C:\Program Files\Mozilla Firefox\xul.dll+194fead|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2AAF-618E-A101-000000000602}43524480C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+93cfbf|C:\Program Files\Mozilla Firefox\xul.dll+7a6504|C:\Program Files\Mozilla Firefox\xul.dll+15eda3c|C:\Program Files\Mozilla Firefox\xul.dll+194560c|C:\Program Files\Mozilla Firefox\xul.dll+13395|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+12ed8|C:\Program Files\Mozilla Firefox\xul.dll+926221|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000159793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.998{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED657760AB07604E3E87DC76B65F34CF,SHA256=B4B22628F491AB33C6E6D421BD9287DE315044A577FF776B828D931529921CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118835Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:56.745{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85250A58600BE88BB955E9BB9D1AEF9,SHA256=3A15785E0FCDC9EC3F825FBD89CD2AEFF71B7EB8EED19D6CB452693B2FB07DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.741{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.441{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC12B5FDB8A877A1B63878973B4CDE37,SHA256=B62BEF23891E732B1EFA9E6FDFC63BD6ABDF4F695F57DEBE470A129C73719DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.424{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9742E453FFDF88DD3CD4C879F02C68,SHA256=A42454262F8064F8EC04B470CCE7F897B768E479BA85DA6FDFEFAE8709F243A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.163{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-54552-false127.0.0.1-53domain 354300x8000000000000000160032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.151{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54552- 354300x8000000000000000160031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.151{189417FC-233F-618E-1400-000000000602}1112C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:63f8:be0:ffff-54552-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000160030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local63252- 354300x8000000000000000160029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64147- 354300x8000000000000000160028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50640- 354300x8000000000000000160027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54552- 354300x8000000000000000160026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.123{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56284- 354300x8000000000000000160025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.121{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49982- 354300x8000000000000000160024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.121{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64796- 354300x8000000000000000160023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:53.984{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57589- 23542300x8000000000000000160022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.226{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.226{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.225{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.224{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.222{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.221{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.220{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=9C65A6B3E14202919AE8AF28339870DC,SHA256=AEF70711C6ED424AF4A4B436C287000B86803D4E8D3D7D45D744147A74DE3068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.204{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=8B0B930BD10040516CECF865CBF807F0,SHA256=1F0B43926BEEC28F5BC2A9B9A3E19F8EE28329768934AC76EFD19B1FF7469A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.188{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=8D2088E9683D3730233F5776B93105AF,SHA256=6FD54563C82D91D5E22EC27B736AD2611AB715D8780CFB5975F4146952BF1837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=804E1F68C038B57109DFB9ED9BD6735E,SHA256=A63BA4635A311071A50C85343BF670972D7A48203E77353DC7A7B02EAA29B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=28B5CFAC70BE55D3E50FD031ABA59003,SHA256=AC664612DF17CB27C208F3266C90C5598401C467C04D006E0F240547A214A8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=664710C1B91D04A31D4AD6123807D44F,SHA256=6220FFF1EC2676AA2ADBF503DEC5EFF7FE3660EBBE296629AB9E31233706C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DC6938568B6DD7673AD033919FCBFAB6,SHA256=86F423E55F67ED58A2EAD5DDE02F589074F76D57919F075E52EDF364616FF028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.126{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=785F7A5B79F8084DE618AF1B4EA2667E,SHA256=4CECE008A7CA2928FBBFC2A78276185A4A578AAD889DBD2A3BF3B7A71D249B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.120{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F1B80154F1F196BC589A2EFC8E03FCAE,SHA256=A8562894EAB9D248FFD608309743CCEF45AF665744FB5EBD753A7B8CE7FDC7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.104{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.089{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C18D748EA4EC42607B01F62BD69CFCCA,SHA256=C3D2FA87A01F8DBA161F97959CC08E146AED0F15A3CCBD94B7019A4DBF2A14EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=1FC7B2422CDE492733C09B15532720CD,SHA256=B3924A454B89471C1B26B69C90B4E1FC468B75BE378E7A1646CB1DF30AE59BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.057{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F1B80154F1F196BC589A2EFC8E03FCAE,SHA256=A8562894EAB9D248FFD608309743CCEF45AF665744FB5EBD753A7B8CE7FDC7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.042{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118836Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:57.792{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410ABFEB5483DDF8465962D13E3248ED,SHA256=36BB679B7573CF09D996C8F938F1C4CD058E437A7F8B54C0EDE2C06212B90AA4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000160042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.468{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net02600:9000:225e:d400:a:da5e:7900:93a1;2600:9000:225e:2200:a:da5e:7900:93a1;2600:9000:225e:1c00:a:da5e:7900:93a1;2600:9000:225e:d200:a:da5e:7900:93a1;2600:9000:225e:ca00:a:da5e:7900:93a1;2600:9000:225e:6200:a:da5e:7900:93a1;2600:9000:225e:2e00:a:da5e:7900:93a1;2600:9000:225e:7600:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000160041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.440{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C93A3B3FE1E34C826BF76AFB5C63FAA,SHA256=63DBF4ED3B5658A35396C728BF2461F79E2B1BA16D314D80BA4D78D9099C6308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.340{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.458{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58726-false18.66.139.67-443https 354300x8000000000000000160038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.457{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53457- 354300x8000000000000000160037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:54.403{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58725-false52.222.214.96server-52-222-214-96.fra56.r.cloudfront.net443https 23542300x8000000000000000118837Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:58.948{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9745E68E3934DF0AD528BEC13016C1E,SHA256=4B008D4407982A2F9D803FE7530CB28ABBF890BF51C7988D040BE74B890417FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:58.471{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F0AE0C9613F5C5C23FE3BA208B6AD7,SHA256=9D289FC4B59D20AAA0028F6CC3F2DDBB52F01425E4A81B34C1B36EF9ABEF29B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.064{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.558{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58728-false93.184.220.29-80http 354300x8000000000000000160045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.403{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58727-false44.240.138.42ec2-44-240-138-42.us-west-2.compute.amazonaws.com443https 354300x8000000000000000160044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.260{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52488- 354300x8000000000000000160043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:55.258{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55074- 23542300x8000000000000000118838Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:59.948{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFB649C1C1EC2FF03F83DAC6BECD7D3,SHA256=F32ABCD5D5A717940BF7D8AD344BA72BE9CBB88FF6BB13AFB7BB6E1FD05A07E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160054Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.486{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C415517D288D8531F297814B661A086,SHA256=89ADECE04234C4484FB7CAFBEDBB1406A88152D80ED979C38B4D9BF372E6F82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\12371MD5=983FE1B69C4711F6D1378870220DF2C6,SHA256=50F742F5C91BEDD196015433EC9137E06BCE2927F50E25C2FADA781BDF8E3682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\13493MD5=3051D44BFC3EB454D402081D5014077A,SHA256=142512EF04DED4CEEB1B5B7C61D6A9E3A636A5D4F95538993817BD18D817F589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.386{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\21495MD5=0ED112F13DC23F316CEBDA4A9B616349,SHA256=D498ADE2729B98D77B494B803D75032B3F3553772E5EEFD7FD46B18A1D361D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.178{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51801- 354300x8000000000000000160049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.143{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51801- 23542300x8000000000000000118839Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:00.979{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5281E7BF066E6EF86115856BB58F32BA,SHA256=1CC2D7B5BAEC7F4C6D95226D6A1A5D39E1A7C05714E28BCD4054B2E9A83497E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160058Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.500{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEC08B97D929AAD7632DB6224FA80E0,SHA256=977A8E37B558B047181BE2FFA72E18FF210805F8D78D9A9D8441AC609D88B631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160057Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:57.414{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61131-true2001:500:a8:0:0:0:0:e-53domain 354300x8000000000000000160056Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:56.413{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62607-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 10341000x8000000000000000160055Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.138{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118840Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:01.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323F78969C517C701980CED0A1100E70,SHA256=6AC136A1450E4FB49BF9DF8CDF82C488899F40A32B6030314786F3EA6E3E77E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160059Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:01.517{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C04A553352D23E2882521B30F2F36A,SHA256=D857903807D8FFB07B731F89B9F0949FD2E6BE8F38C841A47F438995655823BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118841Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:02.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1EBEF77CDDA840175A0950175D8135,SHA256=7D71FD9192067DD87EDFD7EF6E56F9420E6AB7C1116842824691AF16564F0342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160061Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.552{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6C994463B311AFAFC3D85AAFD6CAE1,SHA256=760527E36E7B94716F901C7A5BB63E854A2630E814DE86C47BCB1A3343F85BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160060Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.191{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57610- 23542300x8000000000000000118843Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:03.995{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB3595DDFEBBFD83DBFAE8E1FC80DDC,SHA256=280E3D9DAD3D6280527E48234CF85DD97517CB468632C5E7CA21644CE36F119F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160064Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:03.566{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B692ECE61BA9086E65B7CB2C8B6FA5,SHA256=200EBFA5FD22C06BBB0AB5634D15FE259E125D212A87B63627F6B4D32E7345C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118842Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:49:59.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160063Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:00.821{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62607-true2001:500:2d:0:0:0:0:d-53domain 354300x8000000000000000160062Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:49:59.238{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63251- 23542300x8000000000000000160066Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:04.584{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1BA6C3680758E7641165BA6F3BADE0,SHA256=ACBE43BA8B00965A19826659EA14023F2F959E10FFE0C82FD87898FD3AD9B9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160065Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:01.190{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160069Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.683{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FF1000C3F9B8281EB9888E07867590,SHA256=CF1E3D0746BFBBC254D7F0033A7EA0AC4E9BF8DC72C83FF12854B5ADBDAA58F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118845Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.620{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3E8E336A650837BF5DB0F7880FDE8BC,SHA256=B57F1EE9EC5D062BAEB5A10676D454BB168159D286FCAB362830C8C718E9678F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118844Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EE124B08CCF478B47981AFF76FA89A,SHA256=46124B8A23357860C5B8E051C8455DEBE55D656349BD83512D7C6FCC3FA3E59D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160068Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.272{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57418- 354300x8000000000000000160067Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:02.236{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57418- 23542300x8000000000000000160078Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.698{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925E21FC4B62FE3D3861915713B38D24,SHA256=6D4AD5594ED524D5BDE2335429A44E80403E92BC30D86AF7C1A01F4FBA05E873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118846Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:06.013{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636B9D82BA8A134433FD32A2AF2E0ECE,SHA256=65CA43F06AE0BCC1154BC12AD5D16D56FE7AF24DDCFCB2ECA3419069EFB799B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160077Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.520{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=17C2F1D66B218F2F28A2CBC3FD78BB75,SHA256=D720F8C84DB6BF654BCBC327579CCADE4F71D677526082CE8BA950950C77F7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160076Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.518{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E31FB8BE4C2CDF5118630E6B67CDDCB3,SHA256=2AE80A050E690F48EEA9F8C5C6DFD2624E86D578EED7C15BBDEBA4F02D46C46A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160075Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.383{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160074Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:03.871{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61750-true2001:500:2:0:0:0:0:c-53domain 23542300x8000000000000000160073Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D30A26A6452BC69F9B6A33D4CAAAE00A,SHA256=5764F121CC18538D88866DFE5E87D8E6E5EE21771D679532AD50E6E69B4DEA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160072Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160071Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160070Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.167{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160081Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.768{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1985322C6A8752AC3CD16359D6635C83,SHA256=F4A6BFCA12FFA776ABB80A6F986608A8F8278A6C44D1B3F26A2A4A1CC5C44409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118847Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:07.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F99F6D806199BFE416755F1AD7344E,SHA256=94BE67C268827F53C529E263A3C5DB36B7B806FB19D4EC9075D6AA098F479E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160080Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.383{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=E6D683ACFD289CCC2903D5202D6AAB71,SHA256=1A10110FD6C9166B66C104EEE56F52F720F81913E80B112D6AF8F2118487D01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160079Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.383{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=378752A316BAB100E6B158DE30DDFC03,SHA256=EEBA3F407C4611CBC714C04216F5E5E53F235EDDF97F89100F45C22DEADD6AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160091Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.784{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FA3C38CB51853A5A52AED513188C5,SHA256=CF7C2845CD976636F0E81936CF84A7E67B72A4444145BBF479F364FA9F9E0A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118853Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.620{147D18E0-233B-618E-0B00-000000000702}6242412C:\Windows\system32\lsass.exe{147D18E0-2339-618E-0100-000000000702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000118852Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118851Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118850Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.276{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118849Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:05.635{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118848Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0571CE74AE029CEEBAD35B465A4306B2,SHA256=929C8EF976D824F3EED8BDFD52F7E41DBC649D0294CF7F2DA34DA08330C3BC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160090Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.700{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C0C27D21275D906D85A2D26B60189004,SHA256=285F416CDC3926BFEF0447D30E9C00F3FFB710C166A48A39A54D57C8BC73C2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160089Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.621{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000160088Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.568{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160087Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.568{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160086Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.553{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160085Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160084Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160083Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:08.537{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AC0-618E-A801-000000000602}5520C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160082Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.305{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57857- 23542300x8000000000000000160105Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.838{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ED5FB9BEC9B231C21A8CF3E252FEB2,SHA256=497E529E279FD6D1C20B06C45D32CA822FC24F547C20022CFDC70798E9514265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118854Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:09.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DB9B911E24C9B5457FE997EE653472,SHA256=F40759C49247AB72047E2E9F89FFE408DA22F376CF9E28C28EC35795B80B34E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160104Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E428D9CA0507CB1D841D2B43819F71C6,SHA256=833B7061ED266BC39FC16BF500B480B3A8B2E88A9D90C369A2D4CF5C5B4C7382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160103Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE4A61409311E0F8E4E81CA0599F490,SHA256=95C0DAAA3BB25E39C6135D3BF7EFEDF2C09398E237F42A50F2DB00B3E880C60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160102Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:06.236{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160101Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:05.336{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57857- 10341000x8000000000000000160100Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.100{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000160099Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.100{189417FC-2975-618E-6001-000000000602}45085424C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8dad|C:\Windows\System32\SHELL32.dll+2837fe|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000160098Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160097Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160096Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.053{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160095Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160094Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160093Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160092Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:09.037{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160108Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:10.853{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF22E676121D8CE9FF1FAFF7FF17933,SHA256=0D7ABBDBAD0E02F277D9B8E43E4CFFC9C77DAA99DFD34828C529D90E55AE1014,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118857Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.170{147D18E0-2339-618E-0100-000000000702}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50118-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x8000000000000000118856Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:08.167{147D18E0-233C-618E-1400-000000000702}748C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9870:38cb:8c6:ffff-52071-truea00:10e:498d:4328:41b8:400:0:440f-53domain 23542300x8000000000000000118855Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:10.041{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42478B831AEF857AE42961CF6A1DA05C,SHA256=1289297DC82C680477640F84695D5C81B35EC3D7B797A26532BE2DB6D4F7CB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160107Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.645{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-2950118-false10.0.1.14win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000160106Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:07.642{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.15WIN-HOST-2952071- 23542300x8000000000000000160110Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:11.868{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FE494FCE62073412AC80397DFAAA75,SHA256=35D27014F71B7593B7D850D4CD8B3E18FB4EE9CE6ED79C013193B04FC03F1B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160109Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:11.417{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118858Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:11.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C67AFA056A1EB226EBF62B97C924DB,SHA256=9A9589CC6F5C365011C90E25516C481BF24ADE54C45B3E1A04744F0B6188373D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160112Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.898{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BEFDE325B06E0F3CCD43BD7C828048,SHA256=DF48A02199C554FAFDEB468B141D1F9538F92A9E061D9EC748818123E5E5A424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118860Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:10.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118859Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:12.057{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8059739581B8B9A39633263CE48E264,SHA256=DD4A1821C8F96D5997605C4E95A16081EBF698754AFA6167270DC515516D866A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160111Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.638{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-030MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160114Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:13.917{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B0590BE469A054C1643E761E5D9E18,SHA256=E83E5C861276494D87D3917511CBFD46C3C295E728AFD0D7AA32A4999278612F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118861Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:13.135{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEF2891636DB999C41BE2F0431F7F91,SHA256=97CB6B7D278D323E968BF161AECEFB97DCB7B3C39A111ADC5D342FC248534E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160113Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:13.652{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160115Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:14.919{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6A5D055047185EA8E5642EE9917B42,SHA256=7DBAB1602CDA77A282A8C228D9293F667F58C50761585200B8981969BF20A9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118862Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:14.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B740C041028219C0E4CB1A8C36A652DD,SHA256=09E548AB2991BFC1652D1A43C250F723F9F72C7C74F45A8531A0F011363E4497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160117Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:15.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1410D44984000A995B82FED0504A3280,SHA256=EFB4D793A7B67DFDBFA1D27D9AECEBADFFB590732C6E2DE81ED183C97F07E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118863Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:15.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8699708B6FBF8069DAF63567458B6F,SHA256=F866830C3C58654EC383CD5902A8479269053D8728ECCC9AAA46CFD78AC9854D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160116Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:12.188{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160118Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:16.935{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95625B3B5E1D039FD069F3F03E73210,SHA256=44F220461490536680527A9E61F6736E43E3D869701F7200F235B9262EEC7603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118865Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.276{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118864Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.244{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3216FAE586A7801BC3F4CA58BFA9B7,SHA256=17C42B398E4784B5D87032348E4166A7F5D4446F0AB6A3F0032B6366242699A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160119Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:17.936{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BA153FDDE55E385B265D01B8A274AD,SHA256=96A99F84931DF097720D80E480EAAAF880DFB8EC95D2A0F7649614C521DEF1FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118880Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:15.807{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000118879Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118878Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118877Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118876Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118875Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118874Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118873Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118872Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118871Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118870Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118869Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118868Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.791{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118867Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.792{147D18E0-2AC9-618E-6F01-000000000702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118866Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:17.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14282B9CE364633F26097B4A225B8F70,SHA256=3D36744E9CDCFC1C66C478B8711D537AA5162A14D5FE7E68F57AA83FDD4AD6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160120Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:18.952{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7EE6A77DCAF0E6502D5EA28FB711A9,SHA256=2D28ECD38F6548474CAFAE1F47D85CA245C41FEC98936491A8E4820AA5330016,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118897Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:16.682{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118896Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC7DAAB84FC80A7DDB416C617D5C43B,SHA256=6776C86884D785D85AA38E0940139706C33A85705FBA3599C42AA4285011B889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118895Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.791{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2609125181F541E4393A72304A1C4AF7,SHA256=0AEF3015F70EFCF284562685EFA2C9E82B5B68BFE024000AAFDAA9AAF59AB1CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118894Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118893Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118892Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118891Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118890Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118889Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118888Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118887Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118886Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118885Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118884Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118883Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.510{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118882Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.511{147D18E0-2ACA-618E-7001-000000000702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118881Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:18.385{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47CA6C5D60E020CD76ACB1E06C009A0,SHA256=544762FD7D471F4B082BCE9C0E7E3BE2A9D7F8436ED042A7B64E2B67A69A7BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160121Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:19.967{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D3BEC8C5D1F492DD97A06B2C76DBE0,SHA256=1AFAED9569E4EBBE0C790BCC95FCF773090FFB2DDCD49899C73F481CC1F11795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118911Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.213{147D18E0-2ACB-618E-7101-000000000702}33401540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118910Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118909Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118908Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118907Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118906Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118905Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118904Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118903Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118902Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118901Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118900Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118899Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.010{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118898Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:19.011{147D18E0-2ACB-618E-7101-000000000702}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160125Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C268E097E91A5D9BB5E72588C44A55A,SHA256=80B130E3735510658D56817250D9DD715F1D5162BB3455F43DF5C611E38F2271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118913Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:20.119{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC7DAAB84FC80A7DDB416C617D5C43B,SHA256=6776C86884D785D85AA38E0940139706C33A85705FBA3599C42AA4285011B889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118912Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:20.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AB64B504A9FE844A02C7725596E887,SHA256=69C2124182CA1E1953E5134120607621F315EEBA9FFBC929B273F2E35E23E3A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160124Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:18.105{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160123Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.519{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9FBD2301F99187C6C71AB6E266DA40,SHA256=32569C0FFCFCE41A52AE1A264FDAFA7199416E1F39D509D3EA50FDCD9020DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160122Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:20.517{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E428D9CA0507CB1D841D2B43819F71C6,SHA256=833B7061ED266BC39FC16BF500B480B3A8B2E88A9D90C369A2D4CF5C5B4C7382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118941Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118940Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118939Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118938Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118937Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118936Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118935Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118934Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118933Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118932Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118931Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118930Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.838{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118929Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.839{147D18E0-2ACD-618E-7301-000000000702}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118928Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.307{147D18E0-2ACD-618E-7201-000000000702}22242632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118927Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118926Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118925Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118924Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118923Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118922Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118921Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118920Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118919Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118918Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118917Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118916Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.135{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118915Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.136{147D18E0-2ACD-618E-7201-000000000702}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118914Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:21.119{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6DC93BFC09AB8A50A5AA36270889E9,SHA256=65264498158492208A76DE8E3BE0438073AC859CCBEFEC238B1499FBE280D5EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118958Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.651{147D18E0-2ACE-618E-7401-000000000702}2028288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118957Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118956Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118955Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118954Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118953Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118952Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118951Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118950Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118949Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118948Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118947Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118946Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118945Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.450{147D18E0-2ACE-618E-7401-000000000702}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118944Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434015352745FFAFC787EC77206826F9,SHA256=EA34135F6072EBD4AF97FB8922F08E340DCB59ADBB2017E6E19B5B93B99B8EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118943Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.447{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D6CD6BA9AF346044941F8B0272F4CE,SHA256=7C8574CE2A437C19132E32D413CA69E7DCD4C5FB05825E07CCD1F5866307187C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160126Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:21.997{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED86E1DC973A92CF78711FA84C120BE,SHA256=A0092AD78AC433D720A17F269E49DD11C45D9AACFC02DD4F3B48AB569C31D63F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118942Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.026{147D18E0-2ACD-618E-7301-000000000702}3628380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118960Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:23.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=414D482C20ECED0A875B89DC7C07A157,SHA256=12437B673307A6150FE1E49C49239CF997492DC7FEDFFB6F6EAD94165A7A5CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118959Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:23.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6236E78D088E7E353C9B712E9E954A6,SHA256=DA6103AC7F8B87C8960734BE447DE95729975DE7035EA44B15578D1D33A19E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160128Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.434{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160127Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.014{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EA78C9F13ECA5AD892952C4B8CB75F,SHA256=BB4454560FF0E20CD38299486AD97D593E061032BC9C68AE2E83A1276ACDF513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118974Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.572{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8A77AAE3E315E16F019840D45DAE83,SHA256=328E6E61515358171ECBD0E53142B51CF61C00F47A70325E2C57D3FF2EB1BBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160133Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:22.434{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000160132Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.734{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160131Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.116{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2967-618E-4B01-000000000602}1380C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160130Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.050{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160129Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:24.034{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F17F03D31EA316098FFD0107C3126D,SHA256=239F2573E3E934A32E514EA294B68E73C7CB2D349FDE7D812F5BB8AE1BE48EA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118973Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118972Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118971Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118970Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118969Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118968Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118967Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118966Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118965Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118964Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118963Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118962Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.322{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118961Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:24.326{147D18E0-2AD0-618E-7501-000000000702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118977Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:25.588{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219AADDC0B9EDBEE71A7C46A33FDE070,SHA256=19228443C3B0EB60C5927A6EB23CBA8FEA3F2748AF08141E79CAA8A96D9CB77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160135Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:23.219{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160134Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:25.037{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AF8E6DB1F479C0B932C546956598A3,SHA256=EA1A01530C1F5B025D60EDF5FEA6B96C17345139171A0CB19A5AAA656CB645CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118976Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:25.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9E2826A27E41D28BEA4D93E271C8D5,SHA256=92412E582C83B501637163F919E02695CA97E02A2DA4F402DDBFD2CF9D016545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118975Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:22.588{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118978Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:26.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B556A1F5403A93E2F0E3DB5C292B4,SHA256=4DBAE3CBA089885C1C67A2EBB97024FD1AC02A9AD1133553EB2175A6A019740A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160138Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.054{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DB8C677803AF166EF24C2C47D58500,SHA256=FF4FFCD95BCBA935E2AEDABF3CAD01E4EAEFA409C9939CBF01E16E0E57E34901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160137Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC89B1DBDEAD0B77EDFB089BBD2D66B4,SHA256=633EC925BAC3F3C2F6F66F1E50DA23D65C3C99A48A0141FB91F2650A57823A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160136Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:26.019{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9FBD2301F99187C6C71AB6E266DA40,SHA256=32569C0FFCFCE41A52AE1A264FDAFA7199416E1F39D509D3EA50FDCD9020DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118979Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:27.666{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FD03FE8B16B51645892B63331C4C88,SHA256=DF890880144764D91FC552A48BC9210BB9E6062086EF92C84297D46263C683C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160142Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160141Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160140Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.154{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160139Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:27.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82BF60AEF38864E8F5B30001603E60D,SHA256=2009880CB87E0A259C4E541A47F7760D11978DCAA5DCF6A47D45F78D7508E969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118980Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:28.682{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934DC816B182DB2A5E2D1EA63EB0850B,SHA256=6FE304CF4778A1AF3B0C6AF9E347C8EFF4C45210BCCFDFBF12B0B99D2366A90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160143Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:28.201{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EB8CB9E7FC132C1840F1763969523E,SHA256=492951B5F4136E059CA2FA1210C216DEB1AAB8898DB00EE9FC5A657BA0F24372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118981Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:29.729{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6232610B6623C478142422B9D12C2C,SHA256=68DC0BB624C41C9596B2BA849921BDE980EDD0F87B6D9D35DF5111C6AC15EACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160144Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:29.218{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02B61CE1DF32B790C73D358E8D82BC5,SHA256=8E0E8EF4FB2E89C9EE8049EFF72BEA0C0D0AF22A29A65B8629C15639EC1DFAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118983Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:30.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818743C7D229EFAFAC14BE13BA7A325F,SHA256=7BDF96A114453F9906F5E65A1BF78D69A22076E3EEA6BFFB316602E57DAF25D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118982Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:27.728{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160145Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:30.268{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D62C7051F47494BAD15505D3939551F,SHA256=B0AEE0267BDF876BF1C2425A3C4433782AD3D36F031EFAD4E0048A044D79E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118984Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:31.854{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2F9AB159E9267F67FEACAE9C8ABE20,SHA256=AC0ECE261ADDBD103934E424C33DD242F7FE894663A7BDECE761E4256893027A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160147Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:29.174{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160146Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:31.268{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B486FB5B1E2BCC15040E0EF80A53DE8A,SHA256=CA847E210BF1456FA2D8440321791B099104AE25207B701DD5E55B75845602B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118985Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:32.932{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B56056EB8D35A6CA89E5F5ADA5A269,SHA256=1F30BA3D5844C0430741B843E4DF4C9B26A3FDE19463399A8CBA1B7C1EE29A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160148Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:32.369{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E7A4DF43AC52FDF76016C34ECDF3EF,SHA256=C909FFF3B19CA030BE5A79AF49A56FE057B721145426796209322D27FE87713A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118986Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:33.963{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF210B9A9FC7DD5E4AEBCC37C4033C4A,SHA256=1F909A3C1BF561E20D8A4C8E4DA76EAD68CC808DF4DB77505397BF8C8A328A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160149Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:33.439{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76FC2D42B251037EA7A218DFF637A18,SHA256=07F5194F3CA8F293037931EE3774041F610D547CAF6B34FBF2F3205EA323E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118988Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:34.979{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7D587E35166E796D96D0801B2AD79D,SHA256=99EBEA1DA73BB89FC9295A9339B398DD4954481F6A08CDF482E654E49546F329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160150Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:34.470{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ABF91FA8827CA090B7B34EDB29D50E,SHA256=2FF6BA69A5CD45873138CFC24869CA29D25F564CD176347202232C87971D872E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118987Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:32.760{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118989Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:35.994{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BED416DB6DF70658659F6ADFECE8DB0,SHA256=5B87C3A383C34B17670B8E2B983B0CDDFF0C2E99AEC60EE76E21551186987BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160151Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:35.619{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB201434DAF35A0987F3F3B686E57DCD,SHA256=9F39CBE91B464B5A9949D1A56A4F4261657D5FC626B1F29424EB5FF97AE84268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160163Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:34.260{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160162Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.925{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160161Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.923{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160160Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160159Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160158Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160157Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.922{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160156Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.921{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160155Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.920{189417FC-2ADC-618E-A901-000000000602}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160154Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.640{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD2F02D2AC3BD75F9C5C64EAB5DD850,SHA256=236CFF25E9BE5D63E7ADB82BB416830984424496B62A54B9CE864BC6D7CFCB0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160153Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.054{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2973-618E-5001-000000000602}2732C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160152Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.054{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-0F00-000000000602}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160181Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.949{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B5D9513173C8213CF4F576CDEF90BB6,SHA256=6E192D8D7E45DE4C3E93D59010F040DC8B9B60691001E1003808274CBB9B39B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160180Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.939{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC89B1DBDEAD0B77EDFB089BBD2D66B4,SHA256=633EC925BAC3F3C2F6F66F1E50DA23D65C3C99A48A0141FB91F2650A57823A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160179Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160178Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233E-618E-0C00-000000000602}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160177Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160176Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160175Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2974-618E-5401-000000000602}2292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160174Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.688{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160173Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.656{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE897666E8F772AAFCFF23B6A2FB268,SHA256=4A8A61D398C91B70A5BECB5793AA3BE312E6A637275D45C066354E054935093E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118990Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:37.010{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B723D009AC8152C6411074478F83FD,SHA256=CBEA534A133015A920BD14669FC8CA1F71831B244E327837603E964E88A7EB67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160172Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160171Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160170Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160169Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160168Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160167Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160166Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160165Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.604{189417FC-2ADD-618E-AA01-000000000602}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160164Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:37.156{189417FC-2ADC-618E-A901-000000000602}59965604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000160192Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.841{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58738-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160191Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:36.841{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58738-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000160190Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.678{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684B30C87EDE446C48AB270173DECDEE,SHA256=06B72AAD784EE31425F3225A389B17CA491F772F03B56887621311A3BC9DE0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118991Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:38.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5553A29A0D4FCB4CE646197FA9769E,SHA256=4EDC309391936EC80AA14062244F0D736EB46AEA6907464AC2F5E4C3BB5CAC17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160189Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160188Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160187Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160186Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160185Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160184Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160183Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160182Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:38.179{189417FC-2ADE-618E-AB01-000000000602}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160194Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:39.697{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8245D4B25190914CDA4843629ADA133F,SHA256=10A8617F6DDD49C297EF83194632ABB296E5D47796F3AF7EF49980604A82AE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118992Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:39.150{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6580CEC686CC60CAFA3C8BA94D23F6BE,SHA256=792229018F5B53195F9269C5CE523EB174A5326CB9FA8585093D65165CBBD32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160193Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:39.196{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B5D9513173C8213CF4F576CDEF90BB6,SHA256=6E192D8D7E45DE4C3E93D59010F040DC8B9B60691001E1003808274CBB9B39B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160212Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160211Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160210Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160209Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160208Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160207Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160206Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.876{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160205Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.877{189417FC-2AE0-618E-AD01-000000000602}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160204Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.714{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E33C16C17BF4C64AAEBEA3A6A4F3F26,SHA256=3822744025853E8D874378C6E0E5077523316731C7734D550E393F6A0812D98E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118994Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:38.760{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000118993Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:40.291{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36ADC04ED1D14F5016BE66A5AE35CEF4,SHA256=4FE94444C257DF6E0B13E942024A9A3159F28BAD91DBC6AE0E2592D5D60A228B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160203Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.545{189417FC-2AE0-618E-AC01-000000000602}55646100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160202Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160201Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160200Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160199Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160198Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160197Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160196Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.361{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160195Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.362{189417FC-2AE0-618E-AC01-000000000602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160225Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.766{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E3949E7EFA319E2419CC37423086DC,SHA256=BBE17E1C8898EFD85EA39BC73808A402418856CB47EAEF2617B2CB608181A0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118995Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:41.291{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2574FAF2872042B12E139DAD3DFCFD20,SHA256=C14DF77EF0DEE1D807D50DD71B2C86E16974549AF57C8EA910C2554E3E37B2AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160224Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.678{189417FC-2AE1-618E-AE01-000000000602}51605172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160223Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.562{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160222Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.498{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160221Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.496{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160220Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.496{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160219Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160218Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160217Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160216Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160215Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.495{189417FC-2AE1-618E-AE01-000000000602}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160214Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.378{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36366D2F6DEAA847B654EAE1626D47F,SHA256=079DC9B862923D6441A5CB667D6C49CC090C20C3986B7FB09E9A58E2CC930C8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160213Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:41.195{189417FC-2AE0-618E-AD01-000000000602}54765412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160227Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:42.819{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6350C79946A3DF366E22AF6DC809F5,SHA256=FFE622559C6E4A62004558A6A278755ADD0BCBC571BE6DB3DA18C79FDD9CC18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118996Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:42.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C498EBDEB7C6644473AF23101AA0473,SHA256=9D30D2EAF4F4A47EB8D2F40C24BB145CA80EA0669CD46A1C335ACC49B3707503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160226Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:42.550{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6211A7A364058ABA8A4D9FFD4557E7,SHA256=8758364E7053332223F03E5A0EE6819A49025C7469D4602C78030C70CA8EC2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160237Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.867{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF58A7107E5BF85A319A50D259A8AE20,SHA256=5A4F98AE9ACFA2B069B92000BEBF9968BCFD02D8D803CF8838BCB30EABC3665A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118997Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:43.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA6A9942E40F9B75F13D52A319867A3,SHA256=6AAAC49551840034D633566A426E8A4338CA0CDABAD8ABBFB82BDA272889871B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160236Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.539{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160235Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160234Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160233Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160232Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160231Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.534{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160230Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.533{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160229Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:43.370{189417FC-2AE3-618E-AF01-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160228Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:40.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160239Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:44.891{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B301B42CDDEA40D592E5E3F31B18844C,SHA256=58F998C1534A2D289090FD59E559C67F1D2DEA9F3A02611FF439AA6B9692657A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118998Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:44.322{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9DABE4AE993B94706E42682D414C7A,SHA256=704460FCF2CECD6C636917FD421810A3103E5ECE5C19583AC46274F2835A840A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160238Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:44.386{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2EE2156872AE68D29B29D962261C141,SHA256=3D9BBD565E69DB67154DDBC7DF24880B7653D85606F1D9BB6E5BACEE8481CD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160240Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:45.905{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E27484AC92992E22BC86F9E655F752D,SHA256=ED14CEC594E16F7D5E70B8FF2AA69E21173324480D566320572EAACF808CDA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118999Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:45.353{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B1B6FC5506775C48F03AF559F3509E,SHA256=B6FCECF81E979B17AD523B7A719DA5C2DDBC2743A11AEDC4EF584E672CAEA3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160241Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:46.989{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45A9E0CFBF32CE90F4DF2A6F4B6582F,SHA256=E33285271A6C6CCC7B5CA2126C813DD197D205EE9A352677D028BFE82EC627C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119000Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:46.463{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD0EABEA0737323D6EDCB43066D0A5E,SHA256=5C550C83296EA712463C14F900E2C58BFBE2AEE184EA73B11F620BD9FBE4F340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119002Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:47.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654B4D85AFE412CB4920D03A3289951A,SHA256=5582DCE640EBAFA039E36BB8354D87EB915FAC38E0DF6E547CC4EE1F45C9D0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119001Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:44.666{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119003Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:48.604{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344F784E9B134AA9F5592F05759D88AA,SHA256=28E236DD871A1F91AE62C4EED2A13086576EBCBEE1760FD85097C622A63B26FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160243Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:45.193{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160242Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:48.020{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716700D47D54C1702DABBA79C895C932,SHA256=5F96E556DCADECCE4E885CE8CF18EC3B37D681BF0DAA15B3B9726968D9746C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119004Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:49.697{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4456159226F0BF2E0DF74AA66768BAF3,SHA256=E6FE141C7A1DDCB177E1721F706D73EE261B02BC2C9832F342890C23E32962A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160244Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:49.050{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4305C84E2B543E62F2B85981E62B2FF,SHA256=A4829956B322A6DF0D0961C26296705B5FC5E647B6690025A393308D78366CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119005Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:50.807{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E40A7A26A8617B419EFBBDCDEDDE63,SHA256=A71E670B71ACFE10A267250DEEB56317EF979CD02DF2C1C38FCD91234D346FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160246Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:50.502{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233E-618E-0C00-000000000602}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160245Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:50.068{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BA05388DE315EDE7F9E7BFC4FB0C4,SHA256=C976370506F189D94CCE7E47E1A8B195D0450D96B5920BEBE228A3F9A1BCDB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119006Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:51.822{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2050C62195DF27B6662DB8CB025179A,SHA256=AC0E9BF5564CC4CCA08108E6D7D08C369BE01C31A2C9D13C0456A92953D74158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160247Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:51.088{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A577EF8BE4244434C5F05FDD43046F9,SHA256=A063B1CABD18A848D3DA318E65400E216940DCFF1936FBE29BD0FE0F4D503C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119007Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:52.822{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEAE3479FEE3B3A7CA375EC2E8B014F,SHA256=5FB90288946C61224919ADBA3C9E7326E183771D357E512930675D2455414E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160248Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:52.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC65E902AAB6CFAD03E5AD3ED19CCBD,SHA256=8DE774A9287BD57AECF32A4F04017FC609FB2745DB2B2C1959120AB2E6DD8070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119009Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:53.838{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76E967E48976CE82EF0BC200C5354C0,SHA256=FE98EE64A2FCD8D7DCA56E57D7A731004B1B14ECE742C63E84710E2010E7E919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160254Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\9913MD5=5AB7EE429809A6E9B6A274095F07BBE7,SHA256=4A47ECE1DE3EAD842352E5F103D684B7AE00F1A8326A23C4E3A45EA337BFA130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160253Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\3342MD5=8365A2675C121766CEA19C2861A0B055,SHA256=DF1982BEFAA7375DDD1AC24598711138137F1DCD1B3CF66172B0710D3826DCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160252Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\30245MD5=587CEF1C44990177718F111818E8B439,SHA256=A25946D2C8072E23D05DF9EF4898BDA78E5D104E4F156D71013B652FBE017241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160251Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.475{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\29948MD5=36C470F68B6F0123F3681177E4F0AA7B,SHA256=3B8EAB3CE2A42EA6616476175BE76B73051CD6F676220DCF07DE300339A8A509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160250Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.474{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\trash24041\29651MD5=A9F4A9FA1CAC14221C768D5827D66081,SHA256=C17B42636C15AD0D40F926484CB1F16F8B2830AAB0BF85098A908EE177DD05AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160249Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C93F8893A9E35BC3F36F9A78A4293A,SHA256=41CB519E79A56B49B11624596D4C15A942682C7ACC44F5B0226414119056AF8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119008Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:50.650{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119010Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:54.853{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D40BE22C97CC5DADA0BD5D1ACB0AAA,SHA256=934B5719451E657A661DC3B2400061A2B9BC7D9928ADF2E5C1B07C237DA1739E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160261Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:51.072{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160260Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.254{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\464d53c2-636d-40c3-8a36-986c70aee204MD5=D18C69CBC05F5F4F814440B3F4881BCC,SHA256=9067AF2FB4B0EFB9DF40E745790CBC490A0296E67DEA36E82E8A24145362830B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160259Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.254{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\2028742a-7a1e-436f-9dfc-dda9e0e46b89MD5=32C485766BA459256450A13E3E4496D6,SHA256=8695D53156DE97A4E07A69F1B7CA511CFA4AD43789C487AF37ACB82539C3229F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160258Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.238{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\saved-telemetry-pings\31d22c12-1f75-4101-9be1-e6881a323d0fMD5=2927E70EEA85B4F95654A07FF3767F3A,SHA256=68B5938BB2E3ACF1971FA114267AF479B9A1D5117A3510CD86C147586B0CF068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160257Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.154{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74899288EE266E2133BA699A38420270,SHA256=06A925B379ED7C122229CA76F24E832C36F696439DEFD5391884CD40A0B39909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160256Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.075{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_5c341e8b-b393-40bf-a222-b7fa7980bd9d.jsonMD5=92642096A880F42086E7330849AC13EB,SHA256=617CE908575D3DB23C031BB6DA38F98955A3657C4ED64F212AAA5F4ED3DEA9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160255Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:54.038{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\session-state.jsonMD5=C7D9FE744E2EC3DBE33A57C5D6FDA529,SHA256=D75E9212AF4CCC68A46337CABF0B51F9D12FD2179D0B6A2E5D30F70AC8DF06EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119012Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.936{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF3DE5794B108C9EED302CFE2E5E7E,SHA256=6E4309F0B48209F4EB2140B4BDA84653EB8243B797FD1D73028FCC17D09DC1BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160266Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.097{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54269- 354300x8000000000000000160265Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.054{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50822- 354300x8000000000000000160264Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:53.048{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50576- 10341000x8000000000000000160263Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:55.308{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160262Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:55.175{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687CEF1AE6A5F1046AC44120CFA5BC7D,SHA256=787B9E7056640FC98EE6220D7B201BC2D53F9D4C950BA38601C0A69F1AD1E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119011Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.482{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-031MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119014Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:56.966{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA0027362206D73D87D5F8E2A8557E8,SHA256=902D673603DAEDE4B73B7DFA20616E66E4FF661BD39AEB8CBCAA234BFDEA0650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160269Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.391{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160268Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.391{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160267Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.207{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94760CFFC46D73304ACC8D1AD7599B98,SHA256=D2D51FE9AB7F7BC676FB2E845FFA8E593F7B33D0A5D4EAE7F9E745893A54C147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119013Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:56.484{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160270Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:57.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD06B364B1C5E2BB90B69A21ED60E34,SHA256=9CB909F26F019E8294F05398F3E798415EBF70075F4698BCB93FA81C1846FD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119016Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:58.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045DB840CE0B7EE5B2ECB064752A36DF,SHA256=90915B9591BB709081680A45AB28450B0ED813F3F825087FE025B80FF8BCF0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160272Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:56.193{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160271Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:58.212{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F858DCF240420DDD9D55FDA8DC27A4,SHA256=4639D2FAAAFC06C6E9CDB735CA5DDF318C6DD01482DF26E8A9410E0FC7E27BF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119015Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:55.748{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119017Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:50:59.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91500C5AB8B2B612D35F98E63B61F908,SHA256=8E4ACA71FEDD6556CD8C17B2E0CC9A7325922C942124227661FA7D836D624973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160273Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:50:59.242{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F06699DD10E25FF38278296BF8A2BC,SHA256=33AF6586A81BC8ADD5515B6CF0B8D2B96ABDB3F4D034E35B36A1DCBAF656E974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119018Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:00.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE9D104684B648D22F3798866ADAA31,SHA256=043D8626F1CF84EF7A2EC772FF2A302A741CF146D455B762B177F0DD41DED346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160274Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:00.326{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC7B44FDB6A5895D4C6FD0A5890CEBD,SHA256=3EE02C2E1FC00B4DE6B938D6A2A22C17C66F22960745E8BCFAE893410F4D2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160275Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:01.327{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D222B962417661EA8E07EE63736732E6,SHA256=CC02727103E2C9FC3704FB393F655BB36A142192F11C56A630F443654C3DF24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119019Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:01.357{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CDA7C10F9EBF39FF33C4189D3860F,SHA256=741FF36CBC4504AE8160AF010DD99190DD2A15281A509DC45225AF411EF5E3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160276Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:02.327{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2FD931C16F8A123966A289B486EF3B,SHA256=07E49C662FE78F904EEFE7175C5A780A8A079AB58BDDFC9AB6F904BBB5A36627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119020Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:02.373{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120C8EBC2E494E5A52F929BC1FFDACA0,SHA256=0B3573F10F8261B2158E4C9432EF93171BAABCC1D1EF900DF21D6A29732B6744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160278Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:01.249{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160277Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:03.329{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71843150F51D1CAC3EA4679A4617DD6,SHA256=A9A335200117AD3B573394C4201061F427C495EFEFABB0D3EEB058C08648B628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119021Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:03.389{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF526FC149AB3314F37D1C4400CADF02,SHA256=2683CD59E4F75F54616F05A057AFA3AC1B3C37E5DECD6DD9667BE83B6267B44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119023Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:04.498{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C33049490E6AEEFFE78586AE8C6845,SHA256=0C82AA75B94AA3F1E8831CFE2D8497A8790565E3DBE2185CC68ABDE0FD083E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160279Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:04.359{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3EC5D1E6EB41E49A3E07B3C37932C9,SHA256=B7DE225020E650AF1BF8DCEF11C6E3C344310269E6A0A7BF33F15695927E411F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119022Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:01.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119025Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:05.623{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D926C2568F7D3C06B7FE8B8F21640CCE,SHA256=6FEBA9BC2AC38B38E590654731A4F064C3384DC07D7652AAF2EE73AB687EFB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119024Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:05.498{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EEB63C7D26B4731DD88E8F8BFC9D24,SHA256=1684F91A1B89A8B78385B3FC57FABE8D89171F39B7BDCC3A13518AB85D07CD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160280Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:05.428{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DD2AE0296F3EE4AE500E919EE099C3,SHA256=093270400FC46A12E9F1CD5F430EBEDBE4CE94E3D923A1C555D9ECC358550137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119028Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.732{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DD06E4C69A81C57192983CE88C4F7C47,SHA256=82BD5F0198B1F7DB4072A28EA83D87744FF53659DA9F45DE1D187A97E716B4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119027Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.732{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=038F7A27DC2E21746B1EEC0BFA977744,SHA256=C7959995612F2A0D075786AE4A1FE73C2D209F07CF08FBCA33E7A71344A3F0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119026Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:06.514{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65088580190E834C8F26E796812C1999,SHA256=56CF3707A8F73CEA8FF00A5ECE7B3991E2A1900F772AEEBC5335C24402586031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160323Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.945{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A89DA44CEE9DADF0E7B3D47B1B3BF4E,SHA256=33F4EFB65C2317863E6E07FF789E1F1357BBE0FE773A158B852508FD2E9D127A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160322Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160321Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160320Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-6001-000000000602}45086120C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160319Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.845{189417FC-2975-618E-6001-000000000602}45086120C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160318Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.783{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000160317Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.783{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000160316Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.760{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160315Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.760{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160314Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45085476C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160313Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45085476C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160312Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160311Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160310Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160309Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.745{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160308Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.729{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160307Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160306Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160305Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160304Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.714{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160303Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160302Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160301Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233F-618E-0D00-000000000602}904936C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160300Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160299Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160298Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160297Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160296Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160295Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160294Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160293Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160292Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.698{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160291Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.682{189417FC-233F-618E-1600-000000000602}12521780C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160290Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.682{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160289Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160288Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160287Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160286Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160285Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160284Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160283Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.660{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160282Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.668{189417FC-2AFA-618E-B001-000000000602}6068C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{189417FC-233E-618E-0C00-000000000602}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000160281Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.445{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE19678A272E873D4821F64B2FF0E5B,SHA256=9C499990DFF1E00561F739017891E78FA53CCF02B7C2847A26041DF9B3BE23B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160341Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.689{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6714C0A8B49BF3CF4090B2ABF8E8BFF,SHA256=4296C7F79C5899F7923B23A00295F6B2988D7EF3EF67A45DA788DC3E51CD1D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160340Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.687{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E0F315D266C454FAC2E77BC925218AC,SHA256=293A2653E41C23278A8062AD7026C5A1B6639FD4071D1FA4A7CF99EEAC4CCBCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160339Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160338Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160337Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.550{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160336Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45085488C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160335Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45085488C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160334Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45081068C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160333Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45081068C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160332Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160331Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160330Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160329Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160328Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160327Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160326Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160325Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.534{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160324Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:07.447{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF1CDD62CFED7893FEF73AB51B7FF44,SHA256=1CACA1041A5DE5B7D09D4BB11EAB8F15C6E4E9D37605D7E6760A2A1221EE07C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119029Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:07.514{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9837A54432A3A6EE0CC0D0A424903B9D,SHA256=0649B4267B0B31A8D41D8DC9697DBA1DDE0AF00F85ABAE79F1A023912A04FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119030Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:08.529{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE54B5C96606A1BDD6C3161A487B2F4,SHA256=1F07C4F635EC2FE9EA7044CC9EBBD1CD54345A82B74F70221B5F69EBE806FBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160353Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:06.301{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160352Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.706{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\djymreij.cmdline@2021-11-12_085032MD5=BC580ABAD2C3CF3FF5A76E2D24664D1F,SHA256=3F6E4B1803684613E6D827342EDB89622420B1297F5611A6C24DDD97E0821122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160351Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.706{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7964F00828526CDD375C3644B284556F,SHA256=D4DE214C2CE612126C743F16B03AABACE3233CD64C6BCE09D509803ED91692E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160350Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.468{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9EEA08F3B82182ACDFB2DF84906DFA,SHA256=3BD50D0AD542E761CB9DD2AC049827062A2A555D7D90441716630FAB057BD59F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160349Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.322{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160348Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.222{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160347Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160346Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160345Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160344Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160343Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160342Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.206{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119032Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:07.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119031Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:09.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389BEBA37952852B3B2C7ED8FC8FE89,SHA256=73CB99B64C98D0C481744658C9801654A830B4900C15B913CFABB674D2BF84E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160359Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.496{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46E9953F1AD9BEACC5258F4ABC60BF0,SHA256=44CCF4E27BBEEDC9C6A6EA4FF3C96F983DD2F71637CBB9B43BCEAA62E833320C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160358Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.322{189417FC-233F-618E-1000-000000000602}4081064C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160357Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.322{189417FC-233F-618E-1000-000000000602}4081064C:\Windows\System32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160356Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6714C0A8B49BF3CF4090B2ABF8E8BFF,SHA256=4296C7F79C5899F7923B23A00295F6B2988D7EF3EF67A45DA788DC3E51CD1D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160355Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160354Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.253{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 354300x8000000000000000160362Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.380{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58745-false20.199.120.182-443https 354300x8000000000000000160361Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:08.365{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57457- 23542300x8000000000000000160360Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:10.508{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4BBD5DCA7F7024EFE9191352DBA263,SHA256=F92E53B29BF80C1A14719511CDC2E0BF8D1E84CA1BAA852C8F01C6E7E3D4955F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119033Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:10.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B63A34F4CE16B41322B89EBB08C8E22,SHA256=D2335C54331FFCA48B4BA498A451C6EC516ABCB8828C107AF8800A2B45552349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160363Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:11.538{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFEBEC8B29AB00980A5BA491275B3C1,SHA256=891319EA2E7C119F2156A7387EE41E7A67DF0057D8922D60D0F4215D9EF6756F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119034Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:11.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3877C6B6AF7B0DC6F2AE18FD5E15923C,SHA256=57EE4DCF3EAFD44125D05BEA4265CB1236C2805F48CD36D2DCE92034141056F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160378Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:09.708{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64168- 10341000x8000000000000000160377Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160376Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160375Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160374Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160373Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160372Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.888{189417FC-2975-618E-5601-000000000602}19044140C:\Windows\system32\sihost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160371Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160370Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160369Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.825{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160368Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.540{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEF110E345B6215334AB94D6ADBA12F,SHA256=10B56F7A4C7DD09CC9A6D65C6A651DC63C7AF6D4E0808857AC2540FEFAE49F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119035Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:12.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EECC114CC53A299642E510A3AFF890,SHA256=44130874EA5233D4E4C062AC8F7FB376BB64754BD2DB32269DEB782D6A7C1E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160367Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.305{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160366Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.305{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160365Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.303{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160364Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.303{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160379Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:13.556{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD7E29224A0B0ED115E6877DD9CD172,SHA256=610BCB4742ED8B885EBA1F317C84AF1907DF957C0485AEB8CDC14D2539743499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119036Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:13.592{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A679DEB43E5F57A28E04E8FE91134B,SHA256=735D803BEA4D1BB2077878D31681F52CCA86F5CCBD919666D84374E5864A12C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160382Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:12.209{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160381Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:14.607{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FCA0299121B32AFD9B7CD5F73CE95,SHA256=E3B51F00E57DB9E7E5226E59C5E9A1D8D5C6F021C9B839C8B3F5881C722D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119037Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:14.607{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F584921483F9DDB22E68E6F13F421C,SHA256=72D66FCF28DDE598DE76AE0A7EA90FE20A580A32920927C2D3557EEEFBE515CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160380Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:14.174{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-031MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160384Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:15.641{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F52890BC3FCBAC615C7E703AC3A16,SHA256=894E35843D95926EB54FE7A992558222AD7703F0A81D100952397167BA1FD47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119039Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:12.779{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119038Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:15.623{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3CF0959056A7EC2DA08B96403469CA,SHA256=D060E25E84524DBF06E98C9F2D41566B08E757C4C30F7818BAF58728B2737C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160383Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:15.187{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160385Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:16.644{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98118E67FE06F03652554360B8EDFA5D,SHA256=E1DCCF5D8A5E1CD06893E7FF945E24E38F1B4850B4ED5496BFF401E31E0DE92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119041Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:16.670{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAD837D5F09A7BFE3C82F2CB01F25B0,SHA256=E5C6A44C29ED0B42B93C9D95CD603F2D7355A2118BF06BC89620EA0D892A3102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119040Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:16.295{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119055Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119054Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC51464DB3E94B4E7A2E5C1EFF3EB9A,SHA256=C4DCEF18A6247AEDB1471A5B8940366E1F6FF05D2D729C48E98188ADA83AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119053Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119052Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119051Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119050Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119049Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119048Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119047Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119046Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119045Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119044Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119043Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.795{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119042Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:17.796{147D18E0-2B05-618E-7601-000000000702}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x8000000000000000160387Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:51:17.743{189417FC-2975-618E-6001-000000000602}4508\UIA_PIPE_4508_00007ba3C:\Windows\Explorer.EXE 23542300x8000000000000000160386Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:17.659{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3E1BEF2BD68BBBEBF72858829E92B5,SHA256=B8C1D51EA93D29C017EE0588BB61B9AE1137E59967E474FBE84F138BE6DAE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119072Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A7AF5B726F407952784479095C317B,SHA256=3E1265E97E227C9068183FAA375F8AB0A2664E26E08CDC8F7DCCB813A9C30B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119071Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8FD82DD4C0D22D3C65127C9317A4BC,SHA256=877996688B9F9FF3F67D39DAAFDA7D758D14DEE7F8DD068D6725864584C5CF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160388Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:18.675{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B77D1B074DFF5863B769315C874F89,SHA256=C5526F09A3C7885154279F2132926B037C27AB1BAF6DAA8169946EF2B6D055EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119070Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.732{147D18E0-2B06-618E-7701-000000000702}30522500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119069Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119068Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119067Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119066Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119065Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119064Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119063Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119062Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119061Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119060Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119059Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119058Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.529{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119057Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.530{147D18E0-2B06-618E-7701-000000000702}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119056Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:15.826{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119087Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21150AD88513561B262A184C6BFA5D5B,SHA256=3F4B861C8437A0C3B8F624847819426662EE98C061B4FB1B321E15FEAB622F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160389Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:19.690{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F525B9841B07C0A90D237DA692F3A06,SHA256=735585752E99AB292B6CA0266812FF054FA24DB328B09E1FAFB5F36F3265F2C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119086Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119085Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119084Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119083Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119082Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119081Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119080Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119079Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119078Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119077Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119076Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119075Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119074Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.094{147D18E0-2B07-618E-7801-000000000702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119073Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:19.092{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1068E5D16F053BB45EE43D393C49A91B,SHA256=6BB4524E50B16AA2F75DB5FF2BDF15EAAC1EB0F5394BA5096C59DBD869677F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119089Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:20.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D724F29D1F6D92F392C049BE345808ED,SHA256=5DC4425C217CEBDAF2D419EF4F2F96C4621A455995B61F8E1475544290EF417F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160391Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:18.096{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160390Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:20.690{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBD34F59BBD0095A5EC66D79E99895,SHA256=6FF6A8C7E1FDD51186859BEF147F4D6E246BDCB89B2377ACC1426B21973ACEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119088Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:20.092{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A7AF5B726F407952784479095C317B,SHA256=3E1265E97E227C9068183FAA375F8AB0A2664E26E08CDC8F7DCCB813A9C30B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160394Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.716{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ADBE3B220A5EFEE19B3BB5625257FA,SHA256=BAF6FBA665CB92C5114F73A94E4FE7E6A14F6440DB69ABC3B0DCB22B387CBA88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119117Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119116Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119115Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119114Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119113Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119112Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119111Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119110Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119109Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119108Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119107Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119106Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119105Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.842{147D18E0-2B09-618E-7A01-000000000702}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119104Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:18.733{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119103Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.310{147D18E0-2B09-618E-7901-000000000702}24082856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119102Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119101Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119100Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119099Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119098Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119097Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119096Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119095Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119094Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119093Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119092Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119091Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.138{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119090Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.139{147D18E0-2B09-618E-7901-000000000702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160393Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387E121967E82BE2D5EECF5F185666B4,SHA256=2D148F3C999F53E8F9ADE4CBB4DCFA0AF32A8DD7639A732285393E614DC98035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160392Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:21.631{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C3BF726C48E0018AEF780DBD7BB4614,SHA256=80CC60EA6782C92270A0080FBE5EBDC2D7399ABF2E1299A3F1E06D94EB24740A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160395Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:22.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F712D3D7EE76C8DDC4CD593A02622396,SHA256=CE1F5ED841113A7857C771B92442B6BD728A2F06E527260BEE664C8468616226,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119134Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.654{147D18E0-2B0A-618E-7B01-000000000702}968956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119133Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119132Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119131Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119130Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119129Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119128Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119127Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119126Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119125Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119124Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119123Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119122Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.513{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119121Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.514{147D18E0-2B0A-618E-7B01-000000000702}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119120Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.373{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4AC3D6AA5101ACE6D05D75610375FE5,SHA256=65A6780664D8D30400F1CF9D41A1A1B4C8EB8C337ABA4D4F9D09BA962C2608CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119119Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:22.013{147D18E0-2B09-618E-7A01-000000000702}26963968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119118Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:21.998{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEB4C871721851D4F9B93C89E3EA0CC,SHA256=07F00F0A51005BBEAA4C607122F78E4F0160A907D8EFE2DE39C628F7162F87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160397Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.862{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045019031CEB658D7AE99568E1C933E,SHA256=497CFC5D3D4A23724FF62CFA290D6994A53C40F197898F4230B866642C999552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119136Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:23.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE0C8CD7E073AB000193065C619B00,SHA256=4900BFDE4FE8013F58CC6302F878E489E4C0BD706CBE239F9E7BDD16EBC76138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119135Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:23.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF78317E5E35AB29BEED069132A70E,SHA256=53BB380F037290877A4A04FFB25EC593DE271708FE2A5446F97A640E22A40065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160396Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.462{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160402Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.877{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C179EA0199DF542D71377855C79631D,SHA256=0ED4E64321259ACAC54D1C53438F66D535D657F3B79BD3ACBFAFE9DD0153CE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119150Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6366BC5A6FFA27418441FBC7AD56F067,SHA256=249629FB7993D5B066C1ACF22E34175F87E8CFEE693915FAB400E8672C90C1B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119149Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119148Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119147Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119146Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119145Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119144Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119143Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119142Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119141Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119140Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119139Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119138Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119137Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.342{147D18E0-2B0C-618E-7C01-000000000702}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160401Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160400Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160399Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160398Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:24.762{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2500-000000000602}2744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160403Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:25.992{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6BC998AAA7941E28FEBC055BFB1FE3,SHA256=C642B02B776E8ABB39AFE948211045B0855B8B8910F9E42D2D1125052413524A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119152Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:25.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=709FBC8472BA67415F9231C8D33AA6C6,SHA256=559307D223F3ADF12E8F3EBF630420EA0CFF7BE2DA5829B4C1324512649EE47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119151Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:25.357{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F1CF76BD45797D5E4F89D2514A0346,SHA256=58C8166F920E40D19BBDA8F5C26FAB397E15B0DD003BA6498DBAB7851C61A1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119154Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:24.623{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119153Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:26.420{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE646BD3DF166945F6891E7806A910F9,SHA256=D63810FE7CC85F65279C135231B20D179C9A49051B32FA7765664BDB59B3E161,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160405Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:23.236{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160404Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:22.468{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119155Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:27.467{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC08A7EB10F54C416EEC8EC465389506,SHA256=E4620C8ED5D4A3692C5559DCE2C17C75158623962A6060AA6738FBFFC89E9EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160406Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:27.029{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22874727BE7AF05E22EE7D7FB70677EB,SHA256=6E7FD18E2A2CB73974A93B8E380E1CA6CF1A8A2A7B4894A34598793A62D35150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119156Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:28.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62545F939A4CEFD610F74FB079605CE7,SHA256=30196E19AB3F6DE6F35ACAF483DCDC7F6CC0807389BF9C8C86F4D1177638BC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160407Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:28.059{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6998BB49D8A93C85B8A44B40AAB852,SHA256=B64318D3B135DE7AAB41DE85BE118BD65B0597ECB22C0F9B16A1C5A29030BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119157Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:29.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924C130DF7C25A37BE78FCB6C9DB9C53,SHA256=DAF5B909019969466B073F26C8F8DD56940FF5350E4354A65AFCF68DC685494B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160408Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:29.091{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA689DB17DA18391FD8541AB82E420,SHA256=B88DCA22FEFB8EEB3F6A0995E3A43BD3F54419C4D8A1E3F72FF122DB102083A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119158Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:30.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635641054F56CC36D59FC2D8DCEFE8D8,SHA256=CA7A1DA43EB5479BC9C352DC245D5DB12A7E4B4F631A02C2794286118CD58256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160409Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:30.128{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF68DA247E5F3C9CDDFE694F62BFDE,SHA256=5A43E1302265331EE8B8450E41DF45D0F232F56068FF0A406323007ECB558CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119159Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:31.592{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926E222D70B9FBD64D6FEEBF0898AC72,SHA256=A42F5CAC61643A1BBE43B87FFF3062907CD2A654B605596CC812F42A9F76C9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160410Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:31.143{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B943ECFEA5B4314AAABA6F8156ED1D,SHA256=FE35CB03D52912F7EE9022D8A59147CE0C3B273694470E839CAB8E961DA12B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119161Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:29.732{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119160Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:32.623{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937D188DBDF6A5C900D5F25E3D0E0B45,SHA256=426E4708C8E4D243B9ED53BA8B6ECC5B2D5D8D35BB0F392AD29511D1E6AA3FED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160412Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:29.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160411Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:32.227{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0841ACE0E07A615F26F4D258EF54CBFB,SHA256=EADAC63A4D4109E26EBF55848C684494E05789AB8AF9E0EF56904C3418ABB4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119162Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:33.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEF5B5E52159FA086FE003FC720620,SHA256=C1D7797B286AE92248E8F22240A43351DD3FCDA4953203B6865EAE786D5B13E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160414Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:33.227{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EC77C868F45E4A819221B3092ABE2,SHA256=F3A2495008998E7F5DB56A388682342B3B91D00998E9878182D2FDF2AC2A5E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160413Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:33.174{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=BC729CDE5BCA62C0B5DA0480F883F648,SHA256=8831999A888EEE9BD597D4B1F289C00A4BF93C331C5242DB8400B09D85C090B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119163Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:34.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32AE429B93AFBED817497F6CD798BE7,SHA256=5A6F144E54D55673750CA824920D88DA898CD00A01849C796F0B1B9C3211B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160415Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:34.257{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6DA62FB19E9E1A585482F4E9180149,SHA256=EDADE5607C6FF2A6E36B570E18A9DF64EB692D08FA4A6ACAED9D4D2E4513CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119164Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:35.654{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F0689D546646A6140E3A8E451274B3,SHA256=2600F7691AB97D1A3E88A12F0335569443667AA8417D8C46BFE5E2CDED358394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160416Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:35.325{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A54A1A5DCD09B97E95394EACF2B3AA6,SHA256=045F287BE65FBDA167E9337B19DE5EF41406FB13D397167346911CF952C7C1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119165Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:36.763{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D6D3874E57502DFDE8A026762264FF,SHA256=3EB503CCC1FC4F954A72A65D156793B7F17C569466743282F3F011EF0E401950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160425Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.955{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160424Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160423Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160422Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160421Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160420Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160419Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.924{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160418Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.926{189417FC-2B18-618E-B201-000000000602}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160417Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.355{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEC62EBC55706AB103C4C62BF3E1904,SHA256=0113BC4F7031EE0265FE89C6F690360FC1640C38C7FD90173F7A7BA29042AA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119166Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:37.810{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8615DBA994A85D5EEB4D3C6C2CC000F,SHA256=105F71EBCD671962E9ABA7B0C568BFD56B810CA65CF1234ADD62C0CE1247F8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160437Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E49A79321E92949B77E6AC8CCDF88E4,SHA256=6A0CC18B61D708C411C4C9EE8143B74E796460A9C0900D041DA1576B6E6061C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160436Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387E121967E82BE2D5EECF5F185666B4,SHA256=2D148F3C999F53E8F9ADE4CBB4DCFA0AF32A8DD7639A732285393E614DC98035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160435Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.769{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160434Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160433Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160432Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160431Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160430Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.767{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160429Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.766{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160428Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.766{189417FC-2B19-618E-B301-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160427Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:37.387{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6A29F903DD1DBA20F8850B5577E675,SHA256=FFEA4077C9C08884DA65FC25BA18DDF02B3EBBF3454B99762DDBA17852AEA133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160426Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:34.225{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119167Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:38.810{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C764A2269617E3677455FF39C45226,SHA256=04702DB8028ADF37E327C0E40F92622A7D69A56E0C05C63C75349CDED5E76EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160447Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.541{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D23EE026A4414215AD7D731156665F,SHA256=512E73DFC75CA1F816D23C4567F70940CA94C672BE2A039A8FAEC0D305C06B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160446Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160445Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160444Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160443Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160442Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160441Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160440Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.441{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160439Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.442{189417FC-2B1A-618E-B401-000000000602}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160438Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:38.010{189417FC-2B19-618E-B301-000000000602}47124016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119169Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:39.826{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F805D24F51705365770C960B87AF5C45,SHA256=AEBAF3CA2FBF3A6B2E53B488C26D849E032F6DF038369FE0C0A643C0074FFDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160451Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:39.557{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C27CDCB1B71A98F78CF95BDBD8258D,SHA256=36EA9ED4B1271D6854DC79E2610C61B2B1526ECCF70704CAF052118BC58BB338,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119168Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:35.623{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160450Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:39.442{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E49A79321E92949B77E6AC8CCDF88E4,SHA256=6A0CC18B61D708C411C4C9EE8143B74E796460A9C0900D041DA1576B6E6061C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160449Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.856{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58752-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160448Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:36.856{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58752-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000119170Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:40.842{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66397264468C3A575614CBF486F7E13,SHA256=BD510BA25FB739E24985698050AE9F6814F7D76733C3DA013F7504BECC242EC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160485Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160484Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160483Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.780{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160482Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.776{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160481Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.774{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160480Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.711{189417FC-2B1C-618E-B501-000000000602}60925564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160479Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160478Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160477Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.695{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160476Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084612C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160475Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160474Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160473Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160472Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.679{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160471Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.658{189417FC-233F-618E-1600-000000000602}12522132C:\Windows\system32\svchost.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160470Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.658{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160469Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.642{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160468Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.627{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17590675E35D00C33832A1C303DFA683,SHA256=BF2E65352987E46CBE20C98314BAC2377C471B0FC91ACA7566130A6480627126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160467Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.611{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160466Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160465Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160464Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160463Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-2975-618E-6001-000000000602}45084276C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x8000000000000000160462Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160461Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.580{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160460Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.569{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319"C:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{189417FC-2975-618E-6001-000000000602}4508C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000160459Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.377{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160458Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.375{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160457Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160456Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160455Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160454Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160453Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160452Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.374{189417FC-2B1C-618E-B501-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119171Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:41.857{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0960025BC174972CADCC4A7828AD698,SHA256=FEFCF5CD54AC16019C81F83CFF07DC54A6BA559459227427BC3EA514F73792A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160504Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160503Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160502Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160501Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160500Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160499Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160498Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160497Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.645{189417FC-2B1D-618E-B901-000000000602}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160496Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.643{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9522574DC3D15F23A349A0799B5C53,SHA256=7FE44858D9269243ABE96D5D583F18CF7EC5F098E81DA5316CD916025CF38CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160495Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.381{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC83EC71E513279F2F4B0435CF07529,SHA256=2CC277CB4E0EB7FC82B2DAE342E68DB30BD0FC62A6C067C573DBEB218AAC1279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160494Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.327{189417FC-2B1D-618E-B801-000000000602}55325340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160493Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160492Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160491Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160490Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160489Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160488Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160487Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.043{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160486Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:41.044{189417FC-2B1D-618E-B801-000000000602}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119172Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:42.873{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38B000852698413D66FCA7B9F5B12F,SHA256=E5BF670102CE0EFA70BF8F9070B5F7888A4D36A1E11A280D64B58F96699BB2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160531Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.785{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500115740D85FC255CA3DDDD1DC806AA,SHA256=E08EA076013A22C5F70AC3E3E85A5A8156F2DDE0FCE80CE0076957A2EDFE3587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160530Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.651{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFB7BB02AA48606382D8404132C1A83,SHA256=D93204CB925101E8DA4FE62E98BAF65321442DB364541F5DBA25576387F480A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160529Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160528Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160527Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160526Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160525Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160524Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160523Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160522Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160521Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160520Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160519Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160518Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160517Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160516Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160515Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160514Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160513Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160512Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160511Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160510Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160509Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160508Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160507Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160506Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.469{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160505Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:42.145{189417FC-2B1D-618E-B901-000000000602}58324836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119174Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:43.873{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE8703D9AF248DDB1C651E036DDB2F9,SHA256=CA512D9F19C9C071DAA2FB3D10D46DB9FE3DE2AE29184B873D09796112D9CED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160541Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.785{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F091F416C47D09D812ECE0ED0793EC20,SHA256=1825A184C9655DB1FAC516360E2D32FC5EDDED5F27FA141B77E054D7E91B50AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119173Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:40.733{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160540Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:40.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160539Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160538Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160537Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160536Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160535Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160534Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160533Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.369{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160532Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:43.370{189417FC-2B1F-618E-BA01-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119175Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:44.888{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C487FCBA89AB9AF436EF9B1EA03062,SHA256=542E4498C41E51D5633076123204B9D22BFB9AFC404F8F5AEA35310543A628C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160543Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:44.800{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F299B77A151DDDF96BDD946282AD06AC,SHA256=14D66768FE15A650A167F1F173A46C088D02538B850F1897733D77A75355E51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160542Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:44.400{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C040B4CFB3B29E7D4991957C849BB07E,SHA256=0A85068E65243A2A713953F8692FD7B6F2753C948E70324B062F26565D3B03D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160544Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:45.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DBEA2A09FF9B0EBD4B80320B32BCC3,SHA256=C5571062187EDBF6608C4A09115E1DEF10F9E27A45DB53D2C4CBEC53FD2267A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119176Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:45.888{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCAB0EFB3EE2106C843FC918FAFA603,SHA256=0078C455B593D71CE0D191372ED918E0E09F090D2182441B627E30D3CFCD888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160545Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:46.830{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD5E335B7DECF861DED63B1EDC3BD15,SHA256=CA8F825AB8ADE592B59AC0239D47856705EE34E762E49914E05722DE6F015D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119177Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:46.904{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73EE8534DE858290C7F610AF023122,SHA256=8F9F411F7C71A32606CBA8AC257EE143D2FDD0DE1F0E210A0DB822A00B1B0612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160546Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:47.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD3DDDD0E43D1A4A96BF95961D1DD62,SHA256=FDB191F64AB0F3EF8CCA97A122246449EFD1DE30985770F209DB937D4C951AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119178Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:47.951{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F97E91EBB19583E21CC3A5ED2DA9DC,SHA256=D35AAAC3CBFD78A1C40848A7C6CCED4E28041E83426B059D707909322DA8B312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160548Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:48.982{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626F69DDCDF0F9CA43043629391EAD5F,SHA256=54AE358C6D5AC6FCAF88EF1076C7DE6ACBED2415F1DF2A98D66DAB8A1B31CCAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160547Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:45.252{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119180Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:46.608{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119179Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:49.013{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DD6F779F106279A2A58A42754A6D8,SHA256=7F1162A07227842D79DD5BB89F9F3323453EE036A59774DCAED64206228537CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119181Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:50.060{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5524D6EF36F36AEE535FD9E43A11F6,SHA256=977DBB134E6C99CACCFCF49D3E654C58B9923C6709BB5E725F0102FDE7D982AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160549Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:50.013{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162F60254AC0769FF2D4D025AD280FB5,SHA256=352AA83EA9D0727DCA964254682C99CB200758BDAA131F9492BA1CEC8CE14DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119182Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:51.107{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C03CDE03FA10460C1B4F610045BC7D,SHA256=653D15751DE9A2F4EC3DDA4E1AB781F8C60671BC5BB0F2C7C82BFA7787DF1C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160550Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:51.028{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9935391CAF1795B8B966781B183FF0,SHA256=A5766165A09CC30EEB22341E94843B5A6A0C82163AF7C6E6997B5839B467BDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119183Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:52.154{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A32B6897E4280DDB3503DE67818CF,SHA256=E14AD04B0917539DCE48E6DA55F8999F0A6E998C475B062626C72C3366CFEC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160551Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:52.047{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5572C034DCB08817AFD1494C94079F,SHA256=05B54554CDCBDA1AD71F820DDF7AB665021D8AE8DB1DD3959A9B642E32B3E2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119184Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:53.201{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7D51DCA38B489E532A897B01F7C21F,SHA256=615382A4AB8C07DA3FFE04A158DE8BC4985ED31FAC3ED1029743238AC0848E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160560Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:51.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160559Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.083{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94ECD08D541E52D61A59116EE9E3F8E,SHA256=5279A46066B83C0655DAC403B906E9E30D84F3D91E172C00A8BC989D87568BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160558Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160557Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160556Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.048{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160555Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160554Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160553Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160552Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:53.028{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119186Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:51.686{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119185Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:54.310{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBE93BDF4145AFAFCA0F8CE0557C2B,SHA256=15AEDC6FD7E5E9D72F3A10C09E033B28413C2D5BD377312F59CC7E5DF45D405C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160565Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000160564Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160563Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.635{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1f06df.TMPMD5=EAE1A877F1E70EC6E8A1C36B90B5FD06,SHA256=37A035AE6A66F2C57D61F6A22DEF6393BBEDA1F046CDEB7E66F00B2E3F5ED69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160562Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.169{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\startupCache\startupCache.8.littleMD5=6B8645E1FD352912EDCA5C1E55D66A4F,SHA256=A8A711480C556EA1A2EC9397CDC3F616DB14C4FA61249B47472A4CDD1495FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160561Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:54.114{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7739A03E13F8876C87A3CCEBEC6D738,SHA256=326E0E93B9C9ECF6C386F4AF8142ED5B3590DF350580964EA9E62903521B54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119187Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:55.420{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F3AEE8749A4471E9DBACCA74F49286,SHA256=93A039907F59460CE240F95F32C906F7D875872EAA0BDCE5BB7CDC1C5F47FCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160566Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:55.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF875E9C32489F67CE074BCC7F05B69,SHA256=6D072D81BB9D05C717BAE8BBC29A5C99C79CCBC2CC02EF3842CA5B237AC0DF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119188Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:56.530{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3A8801FFE869EEE69E2FD3F93CA07,SHA256=D59FC2AF5BA9713F4986225B4DE6D6C945455CC79578FBA9A5EFFA64331C6DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160567Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:56.249{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7452E80D33F9EBB995F61B39118F22B3,SHA256=7A360D4329A797A9E523293555DDD0780F673FB7E46EF233AA69B8ED30AECA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119190Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.558{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6B28A38EDE551433B838E89A754D5B,SHA256=F575651195847AE6D0E933A8CB036297AAB7B41C61DE0970BAD48D924F14AB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160568Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:57.269{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF389F71244F7AC1FAB7DEE99FF559F,SHA256=CD335B8AD59A55A8F8B376CA16148922C0980821FED68CD54FF3262DA3658B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119189Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.002{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-032MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119192Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:58.574{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5061B940A38A3523A88D84041B240EAB,SHA256=C459CF5C71E9557E752ECD2255B605DFEB5E36B0C07BCFD4C94B5F4447523AFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160570Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:56.255{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160569Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:58.271{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AED5BBBC3BB4616135BBEF31DB1F3E,SHA256=EAD84F29D27FD4A69F84BCE4D226F2FC38B5B03CFE65F94A0754FA8A74ED4624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119191Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:58.012{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119193Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:59.809{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302FEFE709721C66C30E12C22D736415,SHA256=AF0527E0EE3847BBB43FBC3AE97C88815FFE6105CCF4E6D67918F27665EC59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160571Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:51:59.286{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB83D676D4E3542D1E44512D399C18DE,SHA256=D06C057A28FC300E3471D1DD94C78230E57C637E6E3689ECA2F321955C296756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119194Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:00.996{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819B20A81AE07562B476DFCE9C0F7879,SHA256=81D521AD9D0C0A07D06BBED583DB5863C1EA8BE98AD1E1E45909D3C55E77A430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160579Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.385{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF6BE1FF06FA596D17C2BA84AD34A59,SHA256=F160775008A4F69C46C09E23C82F205EE774E543B76C56B893A36692A743E84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160578Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160577Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160576Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160575Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160574Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160573Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160572Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:00.032{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160580Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:01.417{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511AA083441E4D53C409470B075154E,SHA256=BB13480C7B6DE48AF1D13EAF760F035A4B58ADC2DD3521F7E9A3260162023661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119195Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:51:57.619{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160581Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:02.432{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E67138676582C04EF7DFEF327E05C,SHA256=8939B032722EBC0646C041FD94E7A13DD11CA0BF28DC2ACD227577C7A73EFC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119196Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:02.012{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E298AE0CF393FECA109034B2A8D55480,SHA256=2373AFDA229F3A8762BD047F5A3B6A280323324E5FF4BC089D7D1E126E8872B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160582Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:03.434{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CDE22D47CEA6AA3F94B08330622221,SHA256=9F03902C30937C72D87FF70042920792AF197A9079733B29941A173B937F5D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119197Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:03.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF54E181263FA06B0A886E6A49FD1C,SHA256=ADE3121FE3D5D0753040C4EAF5987DCDA2989F5555C5FBAFB06C44E8E083CFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160583Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:04.448{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7CBC5C43DA87CE1DA35EF6B7471909,SHA256=25F5AA76A311C3E3B92D3CC92E457F3C36854873A641EB225327E7785CC836EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119198Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:04.043{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5146CB1454678D99718971AD31A4C633,SHA256=FCA35CE1339868C6622CDF9DD517F1BDCD0A2B4B483331EA4280BAFECA6FBCA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160585Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:02.153{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160584Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:05.448{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D74521940BE9F6F313D351CCFC75237,SHA256=077A8C0F5743FFEBFDD2205B417877F8BA67C7A08F07D349C66BD19738C04830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119201Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:05.637{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=40BBEB91B616D047551847839BB1F969,SHA256=5335D841D6C27829EEDFA73218194D4E72EB9D47B828EC4929FB6D130A2CC36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119200Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:02.778{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119199Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:05.059{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE61CB09B11650D9377E55C234FE074,SHA256=9B05A54F61ED6C8FEFC4B1EB94B5F5075BBEB8460A2ECC7B2F98BC47854A8847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160593Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.470{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3883C60B837CB1DA109D4F6088339,SHA256=436C5C64BADD5D5CFEC02644B7E60315AEF69A739F620D464D923EE41638828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119202Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:06.059{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBEFD3C5553006F2BCC768E6F5EC76A,SHA256=D1AD32CB3303BE95DF084BFF2E97BAA7C4F670BE7BEDF3842D5DAE5BD9CCFFB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160592Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160591Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160590Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.332{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160589Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160588Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160587Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160586Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:06.317{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160594Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:07.486{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775210C18840CBDF9ED91A7C9A40684F,SHA256=D777E695CEEB13D112FE8DC0EB49E4B2C540AFB7C0E56D17ADA1A8DBE9E8D161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119203Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:07.074{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87700CBF007C72EEE8C4BFED1818067,SHA256=EA79F15130FEEEF875436862DCA9EB39A2C8D484C7A2AC6E315785630A3FEEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160596Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:08.716{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9ECC3D48AD65B6A5B9C989DDA70F8332,SHA256=770006E669B3A6E61818A17E7CFBDE5D75AAA07552B92F6EEE3DEFDC7F16D30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160595Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:08.501{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66444EE008493E9AD08FFC39AD4F391E,SHA256=2FF5EE32519FB3EB919ACD3E965F2A93AC8AEFD5026499B8A4C9CC3339C8B5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119204Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:08.090{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00539F5D84F9567DB99052F0A78761B4,SHA256=0F3C16B6D6EE23C488D88AF98E7AAFB36C2745435A6633A803AEF78D18090440,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160600Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:07.169{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160599Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.516{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA96086678AAB3D394E5BC860EF67F9,SHA256=10FCDC5366F952D2CFD16E50A17CDCC58EC50D9C88C4B6F5A15C07A6D273A6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119205Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:09.105{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9E76A06270DF8F196B96BB3F3F92EF,SHA256=1EC16A1A0BD1085B6B883CDCF671FE403FF3FABE574572B173692E21BC73B679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160598Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.284{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160597Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:09.284{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2975-618E-5701-000000000602}3644C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 23542300x8000000000000000160601Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:10.584{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478C375BCF96F81CA6EDEB20E5BE7479,SHA256=3FD72ED6D6F907A6E6B635AC4E3D70401106029CD3913FB665CF028475C403FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119206Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:10.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A898EA865CA46F86539E45C3F9DC752,SHA256=0B8A6F9F0BE34964E843622E1E816A9F67103A52A4A52570EE346B7DFC725ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160602Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:11.645{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDA02904A973B305BE7463A533CD731,SHA256=20C2C721CF7CDEF73592A73249944ADD8C8B250C68CF2F4D274FA6E6894B92C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119208Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:08.622{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119207Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:11.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92643A54D079BD034598A2A53BDFE596,SHA256=5F44519FE86264D0F9AD7B789D4F39D28DC335015F5D63B7360F3CE71FB5D6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160665Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.946{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160664Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160663Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160662Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160661Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160660Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.930{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160659Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160658Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160657Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.899{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160656Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160655Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-233E-618E-0C00-000000000602}8483096C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160654Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160653Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.883{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160652Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.714{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887EE1E387883D6A7FF3F14991C76E5F,SHA256=F2968DCB29C200A9C194A30D34331884D4657CDB449BAE4ACFB2339EB60BDCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119209Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:12.121{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A17C49F1F6977FCF51FCC28222FA8FE,SHA256=DB13F5A5A8105EFDCDD1E8E0767A4793FAEE33AE657CA10DD6C6B67E7CA350AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160651Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.568{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE48C3B6C817ADBACC2A0D4E819B08F,SHA256=0E83E35F4ED0B8FB956E3E3E3911605B51398EF4B0573F9EE3688B31B100BCBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160650Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160649Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160648Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085484C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160647Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.563{189417FC-2975-618E-5501-000000000602}27085484C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160646Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.561{189417FC-2975-618E-5501-000000000602}27085940C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160645Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.561{189417FC-2975-618E-5501-000000000602}27085940C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160644Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085996C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160643Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}2708864C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160642Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}2708864C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160641Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085604C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160640Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085416C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160639Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085712C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160638Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085604C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160637Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085996C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160636Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085712C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160635Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.545{189417FC-2975-618E-5501-000000000602}27085416C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160634Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085804C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160633Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085856C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160632Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160631Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160630Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27086076C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160629Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27085132C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160628Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}2708596C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160627Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.530{189417FC-2975-618E-5501-000000000602}27083276C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000160626Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160625Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160624Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160623Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.345{189417FC-2975-618E-6001-000000000602}45086004C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160622Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000160621Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-5501-000000000602}27082828C:\Windows\System32\RuntimeBroker.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160620Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160619Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000160618Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160617Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.282{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160616Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.266{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160615Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160614Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160613Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160612Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}84892C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160611Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160610Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160609Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160608Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160607Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160606Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45086020C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160605Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-233E-618E-0C00-000000000602}848956C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160604Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160603Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.245{189417FC-2975-618E-6001-000000000602}45084668C:\Windows\Explorer.EXE{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160685Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.914{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640E9DD8BBF63BE25E35429564F5557E,SHA256=07BB330ABB03C10456598CDF639F1695485FB40CE88953454DF4F3F887B76999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119210Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:13.137{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E5B57C906390CF6CD577C5E9E89FBF,SHA256=377D49062CAF82B57816921B3F85A310E981CEE559CC0A1634D65E4CC46B2011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160684Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160683Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160682Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27086112C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000160681Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2a2f91|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000160680Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.630{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+2ca252|C:\Windows\System32\windows.storage.dll+cb155|C:\Windows\System32\windows.storage.dll+74066|C:\Windows\System32\windows.storage.dll+2a2ef3|C:\Windows\System32\windows.storage.dll+74783|C:\Windows\System32\windows.storage.dll+747fa|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x8000000000000000160679Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c6b73|C:\Windows\System32\windows.storage.dll+c62e1|C:\Windows\System32\windows.storage.dll+c61f5|C:\Windows\System32\windows.storage.dll+c618e|C:\Windows\System32\windows.storage.dll+11c559|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346 10341000x8000000000000000160678Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+c94c3|C:\Windows\System32\windows.storage.dll+11c3d0|C:\Windows\System32\windows.storage.dll+11c327|C:\Windows\System32\windows.storage.dll+11c4f7|C:\Windows\System32\windows.storage.dll+61096|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x8000000000000000160677Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+cb257|C:\Windows\System32\windows.storage.dll+61155|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000160676Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27085548C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+61129|C:\Windows\System32\windows.storage.dll+61078|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+cc60c 10341000x8000000000000000160675Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+9f408|C:\Windows\System32\windows.storage.dll+1a2b29|C:\Windows\System32\windows.storage.dll+1a2985|C:\Windows\System32\windows.storage.dll+a0166|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000160674Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160673Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.599{189417FC-233D-618E-0B00-000000000602}640808C:\Windows\system32\lsass.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160672Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160671Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160670Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.430{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000160669Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.315{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\mal.bat@2021-11-12_085210MD5=91965C4AC436447F1D64B3597D5A453C,SHA256=072E76295074037B713D9A86D1DC043CCB501E62A5D5CEA96C72D4AE2A8E45C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160668Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160667Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27085556C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000160666Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.084{189417FC-2975-618E-5501-000000000602}27084880C:\Windows\System32\RuntimeBroker.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7 13241300x8000000000000000119212Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:52:14.512{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a2-0x96c89fd4) 23542300x8000000000000000119211Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.152{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3DCE35F8AC6D07D09D4731A935A732,SHA256=E47E7D3FECC7E6880F096BFDD506B3BF24B77851EA2A05A4B14D01943477915D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160692Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160691Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160690Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.929{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160689Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160688Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160687Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160686Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:14.913{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119213Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:15.152{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D858F512EDCB2D6284510A7092DE491D,SHA256=52A91172B2AAAE64BABF3367787DF1F7AD4DDE1624B2D7D5B8402CEF8648B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160695Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:15.699{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-032MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160694Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:15.029{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F3104B4F8AB23A6EE67D84A72E7218,SHA256=A959860F2612D3D12F859196EBA8433ECD78EBE9B15B04BE89D5638B93BBEA46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160693Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:12.283{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119218Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:16.324{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119217Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:16.168{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64547307594B300E8EC15A0117B0418E,SHA256=2A5E95B6A1FFFE2D89F201C967B03A251C8C8964A1A25EF97A31F73F4D451172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160706Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.797{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160705Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160704Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160703Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160702Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160701Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160700Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.781{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160699Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.757{189417FC-2B40-618E-BB01-000000000602}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160698Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.715{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160697Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:16.063{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7169EF05F48C3AFD81087206866D1A,SHA256=81CEF6A9066A0308694CAD25AB2BC2AF37AFD5B95CD86FC687219818048013DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119216Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.043{147D18E0-233C-618E-1000-000000000702}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local123ntpfalse40.119.148.38-123ntp 354300x8000000000000000119215Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:14.043{147D18E0-233C-618E-1000-000000000702}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-29.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 354300x8000000000000000119214Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:13.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160696Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:13.517{189417FC-233F-618E-1100-000000000602}508C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-362.attackrange.local123ntpfalse10.0.1.15WIN-HOST-29123ntp 10341000x8000000000000000119232Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119231Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119230Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119229Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119228Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119227Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119226Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119225Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119224Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119223Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119222Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119221Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.793{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119220Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.794{147D18E0-2B41-618E-7D01-000000000702}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119219Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:17.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E39856FCAD7DC6B4DBF6B7321E4081,SHA256=5FD7569324444F1CA469033AB5E4CA15DC3D2410AE954458C5AC7308C1F1AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160709Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.913{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15272840CF4483054A93CD2F2946A06D,SHA256=A1A1EAFA6232191660ECA1BE89E58D953186813F90925D6AD3348840A7AF02E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160708Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.913{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283992E99BA39E68D3B6BAC912BA518F,SHA256=8725C08DF7EC461FA1E99D5D8DE03E3DE11679292B852F12BF509B0C883F06DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160707Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:17.081{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD47D88DCC7809B478708F56BB674C,SHA256=E407DFEE2C418888FAFBC7D3FA02C74B9AD52FFFB581846E0A8C1B37F40C33FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160719Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160718Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160717Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160716Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160715Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160714Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.229{189417FC-2975-618E-5601-000000000602}19043208C:\Windows\system32\sihost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160713Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160712Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000160711Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.183{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000160710Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.145{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E868E4DCD7971BDCBCE4F4C608DDDD48,SHA256=C278880BB84E6672F85B96C8BD286B90BD3E850D08A47A25259F5A8D74C9E8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119247Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119246Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119245Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119244Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119243Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119242Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119241Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119240Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119239Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119238Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119237Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119236Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.543{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119235Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.544{147D18E0-2B42-618E-7E01-000000000702}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119234Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:15.856{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119233Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:18.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB552B5D435A539C7E61896DAE63E4B,SHA256=B3A0B48F5565B287745269AD257F8A171C595BD5BFEB4389493B5DCB8542F768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160720Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:19.214{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E3DABBA385646B4B32912E2792CC2A,SHA256=B00D4C0A56FD78261871AF9B7900A9C25F0175CB8587892CDF196C2A6D15954D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119264Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.387{147D18E0-2B43-618E-7F01-000000000702}3028828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119263Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119262Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119261Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119260Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119259Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119258Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119257Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119256Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119255Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119254Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119253Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119252Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.199{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119251Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.201{147D18E0-2B43-618E-7F01-000000000702}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119250Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.183{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF6474E1FDF86AFD085E7B2EB7F2BBB,SHA256=0A550C7003B8FC52A5E66CC758231C6103E4E357C27F7B4D24DDC813842B2991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119249Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30F6766F960BF44C713165B7297400F,SHA256=DA2F51DDC25FB18CB5FFD183AC1F187AD6D7E5318BB295B30BCD4824FFE81F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119248Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.027{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF39C7A758B68B33D0409E62B1187115,SHA256=15A23EC1D757CD502D9034A1C2296CAEBFE04E3BECE6DE5E22475B05E1A25274,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160722Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:18.204{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160721Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:20.214{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783B45C023E3F9417FC6C62B4BA93C0C,SHA256=06A236FE2B02177325EC9B395BBC8FDEF0FACDFC849458E2A1628FB472D877E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119266Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:20.355{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30F6766F960BF44C713165B7297400F,SHA256=DA2F51DDC25FB18CB5FFD183AC1F187AD6D7E5318BB295B30BCD4824FFE81F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119265Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:20.199{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92790D8E25143B55C5EC59225DAD7982,SHA256=12496279443B7255E7714CD49623940E0C86470965565D9568233122AD3B2E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160724Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:21.798{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=0828499BD7A6B1C7F482E7BB9D127D89,SHA256=E837E869F6D615F444B5C59DE8B88BAAF1DBF8192BD85404769997D653ADEA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160723Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:21.282{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0B3490B168FDB3A024A423EB09A832,SHA256=692A676362E1B38CBA330361B779B4A2DCC2D95AF9EC1FE8FB0776C34CA2A0E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119294Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119293Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119292Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119291Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119290Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119289Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119288Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119287Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119286Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119285Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119284Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119283Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119282Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.840{147D18E0-2B45-618E-8101-000000000702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119281Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.308{147D18E0-2B45-618E-8001-000000000702}20402464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119280Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.215{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EFEAE916257FCD38AD30B5C2AF3550,SHA256=E388EBF7739A9300F509FF5C3E2AB2B3FC32AE85AD8BCC62CAE88C878FCB018B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119279Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119278Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119277Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119276Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119275Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119274Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119273Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119272Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119271Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119270Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119269Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119268Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.136{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119267Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:21.137{147D18E0-2B45-618E-8001-000000000702}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160725Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:22.481{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234EA363F496BA149C32FDED42D50540,SHA256=303AA12EF8A2F5EBC6EBE7C0F5B6CD67F1DE134BF821EA75252CA17AF4D65682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119312Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.511{147D18E0-2B46-618E-8201-000000000702}13243128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119311Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119310Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119309Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119308Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119307Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119306Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119305Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119304Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119303Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119302Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119301Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119300Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119299Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.340{147D18E0-2B46-618E-8201-000000000702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119298Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:19.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119297Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.215{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0037BABFBA444533756EFCEF57FBE1,SHA256=0521CCFD7BC2AADDF5FA53DE4AA9431506A3D7A503D7494442D287C1B2B68CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119296Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.168{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4807FADF5B78D961537DC2A91BF9B6F6,SHA256=4E06053EC48B7F6E1BF5A371D5F08B23B5034F66FA25866C53BB4645D0DB2700,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119295Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:22.074{147D18E0-2B45-618E-8101-000000000702}13841800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160727Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.512{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4AA56795C9DC81276F1A381091D870,SHA256=51FED04106516C190E2DF485198AC127C70D6D8D48A5E317E3A4DD0AF480D13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119314Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:23.590{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=054ECA5F39964D9463E0AFAA3F55B57D,SHA256=CB47CE0529D8741D365104608034B704B51FCA04166B17C6187B4C6883E4529B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119313Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:23.230{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EA18E0194B20FA4B2AF45A74F3C1CC,SHA256=C99793B0E739D2A3FC516DF6B652BE8C4F1F8C6A224A727FB4E361CD45DA1C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160726Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.481{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160729Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:24.762{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A202383B5C0113D9A43C8336B66B4BA3,SHA256=00D5D320AF8573F0177BC3514236F984CAB76B5D8B7FC78F853B4AA03CF0FF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119328Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119327Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119326Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119325Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119324Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119323Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119322Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119321Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119320Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119319Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119318Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119317Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.261{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119316Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.262{147D18E0-2B48-618E-8301-000000000702}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119315Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:24.246{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AECF97C7CC0E8649B42B734EA758839,SHA256=A8AB5BEA009D7A5A1F318D3368FED2DF9883FFE2655A90EC24BC29BA3C59D386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160728Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:24.061{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160731Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:25.895{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ED3D576CBBF79B1658B1B783FDB28F,SHA256=14AF6A1B284F1D0C46DABE671A0C6B375E31AEFF6B0A013A6835F6B2FD112E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119330Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540A2DA8C4EB01B7CEE85087EA287329,SHA256=3E8BCE5B99C9670C94D379A9276A302BBF566737B96522B9B2A40A029C968D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119329Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.261{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0707DFF26D9A8215F52551088DB33957,SHA256=EB12B5F37A88B5031ED4459A3824ECA29DD99C6EC6EABDEDD4050C1395965BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160730Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:22.484{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000160734Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:26.941{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F74C3B2D449EB7CEF31DA1A4D847EA,SHA256=8E78E112497E2FEC9F8F0157D7D4F4C18391E1FBF9630C9C771FFE3B71CBE603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119331Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:26.261{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760CFD923D453A8EB7E4E3C61653D17,SHA256=5D4F0AB056E5C5DDCA7B697687EF2E4034061E6357A9CB58869A98487B487FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160733Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:26.810{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=B10DC0E482DD3DC2F25068583321C9CD,SHA256=18D80E2989010A1F6481C4C6257EFB9C7DC0A3F6E1266DEA251FDA81F334D87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160732Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:23.264{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58762-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160735Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:27.961{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852A882FA122B44B1A8518C95230C15D,SHA256=AFF65C5F2AA7F8B244A8E29496166B2DD71E3B98C67E0BBF0699C5187F503C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119333Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:25.700{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119332Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:27.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC5730E1EEE3BC88FA0670865D663EE,SHA256=33B3A5CF897ADF74E17573ABEE314E73E57E4B1365DB1948DC764BDAE17EDEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160736Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:28.977{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A1208F51DEDC26AF55DC0EC08B609,SHA256=063566C5A6660C93E69BFB93AA706902F744B41012207D1B5A2421EC34A4C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119334Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:28.277{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDB09CEE6DB25EB89859A6737ABC647,SHA256=2FF8DAEDD78EC2BDEC8D8C06C4C33BCED4E45E1A9B8C563E0EB69935B6EC9C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160737Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:29.977{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAFE7F8D0BBE35026BD526FACE52AAB,SHA256=20EF804A37A7DDCBA6842AEFB8DFF986D710491F1F3A868CA54620562E4510A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119335Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:29.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80F9E377921EE9975E8216C8B018F19,SHA256=A848B474670F340E0512530FA907F77B342E5F82F970588A292E5B879B7D1BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119336Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:30.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E5FA59D9BBC3EA1E9600ABAC92E6FA,SHA256=17FA7BBAEBE89CF9A40D933B68117ACA3D17B384AD4FAE48D70344B369ACC2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119337Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:31.308{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FB04AF9E6541283D41FEBC69D62703,SHA256=209EDF4582C2809876D5B8554C0F131637A1ACEA7B3A6E6D7D50DA2349564F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160738Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:31.024{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC688DB0D5AFD17A5F72A722186E173,SHA256=1930DA3A1C4BE4ED68A66FD2C7385EE2443933E3BACAD54241FBFD6085B3E757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119338Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:32.324{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADC5C33CE74791AC5C90EDCBDD0FF25,SHA256=EB90327BC30034E2E5820FAF669FD73381B2BCB09C491541B7AFC69A9AB89FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160740Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:29.130{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160739Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:32.039{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD48D0C7D64E94B81E28233B1E3A0F2C,SHA256=C554C0F7D59FC60088CF97FC6B93804136AAD5426B346990B1B150749A1297F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119340Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:31.731{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119339Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:33.339{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE07EB2850529AC28F60CE134A9763C,SHA256=39627C9562DCF7E83CE4B7348FB874D8FDF336430302429C53936D0E44A841C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.276{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160744Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160743Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160742Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.261{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160741Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:33.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADD52F82BFE71621648F38323E3A1BB,SHA256=7BBFC6C079DF461BAF22A9DC3A02399E86379B7F15C7951E7C88FD73F7B31C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119341Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:34.355{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51766F626F3BE46FD2F4125FA41225F7,SHA256=5E96DCDDD613D3CACF05A419FCA0DF864D3D59D977807FF9F309CA4A447F4C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:34.076{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE94B668080A6BBEF4719B89AAD26748,SHA256=D6A05F3789024822A05E4F822AFC6A270CBB705048C7BC98049B53D7BA4BB3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119342Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:35.511{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE6643431395073E6C4FC281672EFDE,SHA256=96425945C5D09CA7FAC53C9469416700B164426CE23C2170DA95BD4516CC6DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:35.175{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2A4CDE4C28D28D6C7F669464A69D6,SHA256=2934C87058F3BEA23588B0FE97EA7605EEC5CE14E362616981E39D4938C1D375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119343Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:36.527{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED0D8A7276193204C715D9DD303FD4D,SHA256=76F1A25BE632CD99539A9399FFAD704A15F1CFCACD18876EA7B5B5D9FF4A4EBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.980{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.938{189417FC-2B54-618E-BC01-000000000602}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.176{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC713F49F7CAF7E0268C87E6DFA6783,SHA256=2C5EF9DB76F0E33C6DE9EE6C385DEF7BB37ED98250528FC03DA536FD536F31CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119344Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:37.652{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4D1E94EA6BEE1ABDF71CBA287B29C4,SHA256=A209FA533F41489AE9003FAB2B4630CD3C5A955B97EE63192922C0E8B044FF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.961{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15206613C7710D746E17E2F4FA544972,SHA256=541C5D0D96F6730E7F446FEC516CF3B4A85AFAFCE8AFEEF3DDAE0F61C5345B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.960{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15272840CF4483054A93CD2F2946A06D,SHA256=A1A1EAFA6232191660ECA1BE89E58D953186813F90925D6AD3348840A7AF02E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.440{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.441{189417FC-2B55-618E-BD01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.209{189417FC-2B54-618E-BC01-000000000602}58525480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:37.177{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72ABBF83C8D5825523ADDB6F8C375AC,SHA256=EE3E72F6D6B4D1C7FF44039C17E85384B3B1A70403DD43C553DDE4AFA891F050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119345Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:38.683{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6332927C79F1E8EBA487306E42189C34,SHA256=1EF44BDCE82D9046A11D5A9A8986B31DBB0A95C302F4A4F3912DDE95BE9931AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:35.060{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.209{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1CD48788B7E47FFC6565561E2AA57,SHA256=FD2C1D7B1BD0451BCDF4E18E95F76299261C96010E8F70D6C2789BAF4D751526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.060{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.058{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.057{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.056{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:38.056{189417FC-2B56-618E-BE01-000000000602}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119346Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:39.870{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7B589DD578B3D94B3F3461B33EA4E2,SHA256=4347CAB1701EE00BE51145CAB43B6B1EB83628ACF6FB30F673E42C6F7C7F6887,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.862{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58765-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:36.862{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58765-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000160783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:39.224{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C785CF64F9D05A875D136C130D1F870,SHA256=0B30BC3EB7FCB6F04C294190C4BD6A60887ABFD3D284009DB6C00FDA707D58ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:39.092{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15206613C7710D746E17E2F4FA544972,SHA256=541C5D0D96F6730E7F446FEC516CF3B4A85AFAFCE8AFEEF3DDAE0F61C5345B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119347Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:40.964{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4F6DDEBEDB69774FC00B4329A0F478,SHA256=999D1A2DB28E56217DA0C006CF40BA5975B40F3B081FDD9B6F6DDDE1B178F924,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.623{189417FC-2B58-618E-BF01-000000000602}58444904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.376{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.377{189417FC-2B58-618E-BF01-000000000602}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.258{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AA6F2A339BF699C090275DF114B1F9,SHA256=92FA9E6B2F7A91D2FE084A7464BDDF5BD830274B33BA437FDC4072B9223155D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.901{189417FC-2B59-618E-C101-000000000602}60485592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.623{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.625{189417FC-2B59-618E-C101-000000000602}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.407{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCF1F764F54C5C55E4F8B468C02B65,SHA256=11EA8DCD546CBE64B38E1B76FDABCA9E48B2229C1F57B259A10B8002215601F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.392{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F811F31FD3C47B8713265ED31F2C9D2D,SHA256=E37F69CBAC16730943A037417B0A0F31539927EE785A695462B3318AA50740BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119348Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:37.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.291{189417FC-2B59-618E-C001-000000000602}32605412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.057{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.056{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.056{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.055{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:41.054{189417FC-2B59-618E-C001-000000000602}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:42.630{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB8F40B3744AAD24B77CFC21E58C69D,SHA256=CB44F30E795D4FD782942948F5975A03541896D534B83591CBC0021DCA6B288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:42.393{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2C49C5DF86CBEA5385EB2AEF460177,SHA256=C4151AC1C6BBA01ADFBDF3321C5931FE1BB984A85CFB3FFF59075DEC84B1FE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119349Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:42.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017BBF43E9491A95C085FC38283B647E,SHA256=EA992D1C43496BFF2291D641FB163A60178793D060C3629270E57601C9E966E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:40.198{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.414{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD9251627ADA34327D66039DC7C675F,SHA256=193D2CEB4551072A3DE4F311023840B707A34A88A0DDD7C529D0DDD84A6C03A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119350Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:43.026{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FED2C944428B8EEC7A9C0D0805C1218,SHA256=9B2860A1BB09681E0D67EA74BBD5350D800979823C09C786BC7988443454A1D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.376{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:43.377{189417FC-2B5B-618E-C201-000000000602}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:44.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48008C8D87D08AA9E64BDC0464697C8C,SHA256=21A5E48436B628B0BDA88159A061AB502FB7D417E6A85763B85667A531FC96C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119351Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:44.151{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682111C5FA729B3378CE8D35BACCA48E,SHA256=83AD7EFF255358A7DF7303E67E8D72AC7A3FEF0B10BCF6BF18ADDA42D7F3DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:44.377{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D8A4EAD5D1088FDA4E6F8C198F35D8B,SHA256=142D8B3CA330BE5A1950CC2DF369D15C76C173946B4FF4127B4FDFD87B647D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279FF8991E085B2805D4C4F489B8816E,SHA256=513BE33B251370B9AF2AAB49F972E4A0384E4D6E92315E2943736282E4BB2597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:45.561{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119353Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:43.700{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119352Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:45.167{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3143F3CB0DD4241FE59D72D4948A73BD,SHA256=20D1B889883E63B797E71992ABD94501A25AFF1CF9D3CD5B9582162D6AA84769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.592{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7081358609F71F4DC9A9B94FAB6D995,SHA256=6DA0BEC4B9B011086DA9C25630D8D91CEE24131EF4777906D38862547838AEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119354Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:46.245{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100D188DF87665AD6B13A70C105E35A,SHA256=E8D96136EBE1331037220D0442BB9174C0803C991CBCFE461CAFA20467E8CAE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.560{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.563{189417FC-2B5E-618E-C301-000000000602}6024C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:47.613{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2DA99A0E57AA6E6DAB0B5537948528,SHA256=6DDD595B26F9F5C739713C67D852CB72BCB04FD4B5EA433EF3296A552A9986AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119355Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:47.292{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FE52D1C10523F53CF13D13D295D143,SHA256=0FCD634E97FABB2E0F0587D7C5FFD87E311C5C9E70A7D438C54D01F5DE831EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:47.594{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FDB7B2A161F18D997E692E54342FC00,SHA256=176636A12CD8D0FB3B16C1E7A7150F6755E296922C695C3BDD2FF145A792F8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.677{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE70240F4131D8FA7FB5D40BDF6BCDB,SHA256=D419BA6E6F88EDD16CD888195843F9B059455CCFAD25695062BB5374B809C76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119356Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:48.307{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7051944BDD0EE275761C746CD0C490DB,SHA256=F2A248E32504985BEBBD2903B478AA7CEF78691BE0400614E78D97072BEF9B01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:46.115{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.115{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:48.094{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2986-618E-7101-000000000602}4572C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:49.694{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2244519B7A5482A0C1E771FCC606A0,SHA256=F68D45FA1AB3EFFCC5514F59ABA2C891D026832B58180485A4DE5F0C835D6622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119357Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:49.354{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FD7324119A0B7D10619D0402A1F904,SHA256=F69F3F171AF7EF612763DB719B3C57810186A817EDF0A9DAF5F9C6FF13FF7C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:50.747{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF63C01520083FA6BF9A093DDC52D0,SHA256=7C414F7D5DC65E2C079007CDBD5B600D820619A23E8ACD11C4E1DBE364541EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119358Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:50.386{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9915EF05D96052B6D52FCFD868CCAE8,SHA256=864EC7936737CDE79735145CD558B49E2C16544660D0400CA4D5C9EE59CB4E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:51.778{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B840B4ADF9C2EEC1A03809E55E1DBF,SHA256=E676EC5872F2C3E3BF01B8AC1EA865C95C867346299E3776DD1F3D3014A8E998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119360Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:49.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119359Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:51.386{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CA034CF8E1076C09F8D64DD9BF7DF2,SHA256=26F8C86C11B38099A18F95E7E33C965D3D39A4905A5700D95A38499571F5C641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:52.976{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2474E000257B58F88EBE4136BF9D5B5,SHA256=0F7AC93624BC3DF3844754BA818DC4352C367E6552BED787242335DA0ECFFDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119361Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:52.448{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4966CBE0294EC5CC15FA3704C5F3C599,SHA256=C520C6284D2FF687CF4B0E1B32A3FDCA2EB94D3C958D01FBD6E16F798A79622E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:53.991{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC751E76C6FB3EC129AAAB58F0124440,SHA256=086973A95055F6BBC0702D2C92BD7C4541A1D1D2A803940DB911BE360B44F97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119362Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:53.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F396D9CB19B61744D3E639674D1BC1,SHA256=3FC4A2A0B3E88343EFF311B49BCF4E3262ED6ED5403055885A421B7A69282E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119363Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:54.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B8704B7A93DCC3C9B0BE4C5CD736CF,SHA256=FACD407485CB6B5049544920BDCB27E1CDE9C2A2A0453CD7C784E9130BF9FCBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:52.051{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:54.160{189417FC-2986-618E-7101-000000000602}4572ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\mal.bat@2021-11-12_085252MD5=9EBF44FE8CDA3B0C695F6F4CB27F48DC,SHA256=00780BF6EB126E7AE25A5E5A86E19F46CF20E238B1B06C358DA8B64C6647C260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119364Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:55.495{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C7130C7FC2CDB2790F3F07F727A3CC,SHA256=DF88BA3032C2F520DBB4377868EB19A3AC5F1E79A3ADA5C9C0BD73E144967D8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084716C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.075{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:55.028{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C365481F4DD9B46BA5931D93B3774A6F,SHA256=3F742DD846131842B763BB6D72388155F7A787C36AA9F4A83DA3EC814BB7799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119365Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:56.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9457AF24F13AD7D4EB8E65C32F1B5B08,SHA256=F4CD522BA298B5155F3D30A4620E310329579B2CCBA232F1D574688142EBE5C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160881Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.143{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160880Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160879Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160878Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160877Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160876Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160875Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.127{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160874Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.136{189417FC-2B68-618E-C401-000000000602}5976C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:56.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68CF1B55174D89AAA80E6749BE54DB,SHA256=2F440EF96CAB50577F6A98EC23DE01AD68CCEBD705A3F36010F92007DF556EDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119367Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:55.715{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119366Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:57.510{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280A7B8DBA5B633F648AE1A2BBE3CDFA,SHA256=FC4F87FC938EC0FC3D569AE7B235E5E2CB16F77A499F03A39716767F9F2322BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160884Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.190{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35740A506253E610D9E1D7EE9FCCE3D,SHA256=BF18F8A258A661211795A6A333013F133CB98A24B8376CC98963ED196FEC3D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160883Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.190{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F285663FFEE452486839351A94ADB466,SHA256=693938537DE46DD1DFEBB44F6850B9A3CBC164C339ED1A4B4ADA0BB6C3FF6A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160882Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.111{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B08DF68BE5A111DFAD56FC20389ED2,SHA256=A92BAD83589002D7850EDD95A011FC583D44D21474D7523FEB4A4F6FCC431E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119369Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:58.530{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-033MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119368Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:58.513{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B045359C9AF2B4D6121AF362B9F11C9A,SHA256=060020EB97BA3A8CB8E83E78C349D61EF0CE9B6E208EDD70CD475FFCB837EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160885Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:58.126{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7725546C063F233D7976B76940A44F38,SHA256=CC0CA3CF32FCDAEF41AF3922C697F7F87C4328CB85EB96D6A8964846E426A196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119371Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:59.545{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119370Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:52:59.528{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAACA988FB43B789FAA8CA5DC67C87F,SHA256=ED8072FAF59ED680FCB9C2227692E90AB90B78ED18DAA0E5DDD2742700926329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160887Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:57.149{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160886Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:52:59.158{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B45AB695EDA47B5BB5335247524008,SHA256=A96FA2A580E78CB0539B1A9D7CFF1776B0036C567635819ECA9F7A195B531A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160888Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:00.361{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816206D467B3F3084522BF178E0F98F0,SHA256=2DCF67DA722CEF34156018F65346C00462B13D0FFD45EC4FEF049466A75BB564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119372Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:00.529{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BB8129E8691B9F151ED6707B00529C,SHA256=95BF8122637F934D9F481A4D743067849EF6910965235B4B97DC774CC84092AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119373Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:01.545{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0453375299742842995A7409E413E48F,SHA256=F3F5387D69C49D1CBCE06957B9CD872F5A2423A2A8F6AD670E81B8624FC0D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160890Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:01.544{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7050F77326B7231E98AB8DED8363285C,SHA256=A357DCBDDA25C99ECBD46974AA03AB0A07716F6DD5E53B6300796CCF9C724EA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000160889Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:53:01.307{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a2-0xb2acfa88) 23542300x8000000000000000119374Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:02.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A9C0636A68F81E5B6A0634720A5B65,SHA256=8E3AA3A120E5D60E6C30FB5425217A534CB78D15A729011C530D3843E04AF73F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160892Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:00.312{189417FC-233F-618E-1100-000000000602}508C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-362.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x8000000000000000160891Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:02.590{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7207313FC4C9B2326F00F236C1B5709A,SHA256=A8AA33524E089F04D6A72255CE6DFC0155E1374438BA78E1098587E5EF366BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160893Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:03.608{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488CE184ABFF54A7AAA2CFBD39FD7E5B,SHA256=76D314EFA166FFF0825D0E9B6D2AC0B92C25A1661B7CF2E1C4E6AAF822673F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119375Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:03.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B9A31A9A68E733408030C30541D8E1,SHA256=830254354BAA81C7EB12EB2F238358D1837D6C07D8EB13606F2EB1198EE0C050,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160895Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:02.227{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160894Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:04.627{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FDAA2513B825D13FD0DAE2C283A37A,SHA256=D812A7C100901C363F241A121588A10F6785A2B330E167F41AEBAAD0F975CF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119377Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:04.560{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7314CB182D82748FF5C75928B4B786F,SHA256=D8222D2B998DC7E8EE938C1D60F1F6CC99C35395CCB010087A21B3BFECE70347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119376Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:01.687{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160896Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:05.643{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0D0639C7F9A67D200439944FDC8C4E,SHA256=DC0E3BE32A68A5CADEBF1209481CE470285E3480915DC1FBD1C51ABF9F3AF4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119379Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:05.638{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A40100A6EA2CE323C6001E22B8B95045,SHA256=FCBDDBB4D1F80C02E2707D600599ADC30F0662FE9B576E907C3B796C7D333FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119378Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:05.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A24F03CB24E31E3B892FD16E2F7EA1,SHA256=739E0939424D6CC1E5068315D8B36B6BC8208E32A3C46BE8D32FF7F255A77F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119380Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:06.576{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71336C63A68E107D3F872384227F9530,SHA256=0CC1915BE8E5F01AB2C1CFAC91ADC9F4121581A243AF0A6603038252B1C47DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160897Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:06.643{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622DD16981F30429C58E357C9651714F,SHA256=70AE6A0D88C7BA7F49FCBBE81839E73D97D42EB0FC73ED05C85E8DDEDBA6B3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160898Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:07.643{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5652A94C13A2F017347807E0E15926,SHA256=0DA11DB5527742ED1CBF4077AF7203F66282CE54633E0B4AC55DAE0CF20299F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119391Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:07.591{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2BE57342A716067CF252083DBB9284,SHA256=0275F442AACCACAEA9394F2B6862252D16B52F49D353B6A62A734A960021A96B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119390Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119389Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00202407) 13241300x8000000000000000119388Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d79a-0x54272ab5) 13241300x8000000000000000119387Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0xb5eb92b5) 13241300x8000000000000000119386Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ab-0x17affab5) 13241300x8000000000000000119385Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119384Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00202407) 13241300x8000000000000000119383Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d79a-0x54272ab5) 13241300x8000000000000000119382Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0xb5eb92b5) 13241300x8000000000000000119381Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:53:07.123{147D18E0-233B-618E-0B00-000000000702}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ab-0x17affab5) 23542300x8000000000000000160900Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:08.727{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=59A13866E49B0A8E204969F3126C7372,SHA256=51E2D3BBE7F0024B1E46B436AC7D3DB83C804E244F7EAA42B2C61C2F564920C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160899Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:08.658{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8313A66DBE40D99489C56933F3F986,SHA256=D4F4386EABE58C26A85F995C0FEA2FAD9DC486FF0B1769F66CD3BBFE540B8ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119392Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:08.595{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA152DC6298AFA0A7747D300F621C3EF,SHA256=D85563483EDD5B0B7F32A43C93CEE7F6FBF691DF7DDAFE6052C4C06398EA678B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160901Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:09.673{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0067CE676686903571424F6474F2F247,SHA256=2EC3DF42736D06BDCB24F5C0B5690B7F645C6A4602A96A7A56C511D088DCA21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119394Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:09.599{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E208AE2C5472C2E1CA6DABE54D94F186,SHA256=E57FE30DD2D6F8C3887C794FB5FF38C5A761F23FD3265C09481FC2AC65FF89A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119393Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:06.781{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160902Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:10.688{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30339AA3D807F495B8BD4F4A94D68C93,SHA256=B554F535F85393253D1B30517EBFA1DF9B98371C86436DA34586353EB9776810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119403Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:10.614{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED65C089C4F7DA03C2C50417D3C48A0,SHA256=26FD54659ADBBCC449968B4DE866DC4C54DBA451BEEBB146C71A5280AF2DDF87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119402Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:08.209{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50161-false169.254.169.254-80http 354300x8000000000000000119401Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:08.117{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50160-false169.254.169.254-80http 354300x8000000000000000119400Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:08.077{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50159-false169.254.169.254-80http 354300x8000000000000000119399Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:08.076{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50158-false169.254.169.254-80http 354300x8000000000000000119398Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:07.990{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50157-false169.254.169.254-80http 354300x8000000000000000119397Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:07.940{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50156-false169.254.169.254-80http 354300x8000000000000000119396Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:07.939{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50155-false169.254.169.254-80http 354300x8000000000000000119395Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:07.938{147D18E0-233F-618E-3600-000000000702}2392C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50154-false169.254.169.254-80http 354300x8000000000000000160904Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:08.030{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58771-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160903Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:11.706{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B4F897461DDB79F98EDDCC8E94B588,SHA256=95674895918D2FCAFA597FA88F070E86C7697E30F4E6BFE2685741ABC43589B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119404Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:11.614{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DF54D78A143089FC87BF27D95EFA64,SHA256=AF53142A5458F827F6F4A87A03105DA9FC09246E7194226C2DE25D2ADF0EA577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160905Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:12.723{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCF35156A812C706A1F979BFAFF39C3,SHA256=F8469F1B2E7252EE6DD74D93DDBF6B2E2B09CC72A9622157E23ABB1785E1CB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119405Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:12.630{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8FF8E9C939D89775916959902B2CB6,SHA256=4C8A19CC0055D549F3CF174A3FE2AA363C7658603DC348EFA1BBF769BBE2DC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160906Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:13.769{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE7E6E839598658D1EAC26425C98F81,SHA256=0CD2208D9421B8184A7CC6667E678511C7CBCF6FE60A41F124E17204E1037049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119406Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:13.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419AC9BE8F5146814D40CC85B0E343DB,SHA256=AE8A9186AC6FFADAE8B7BD273725F806453D4A06FA46BE1B6A95A61852F7D77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160916Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.822{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4371FB8BC6774A7F6F4EFB4745C7369,SHA256=0D8424FE56157BC8DFAC9425B967C56FD87D81D2B343D14CDA1581E02E22FC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119407Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:14.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D527E57E3AEB3E59CE6B2B9AB30DAB4,SHA256=4DCF6D8B8DFA1DDEC754AD4ED6253F98B8DA968BD1F131E615D88E213E837176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160915Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.054{189417FC-233F-618E-1400-000000000602}11122196C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160914Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-2B1C-618E-B701-000000000602}40724244C:\Windows\system32\conhost.exe{189417FC-2B7A-618E-C501-000000000602}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160913Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160912Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160911Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160910Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160909Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2B7A-618E-C501-000000000602}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160908Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.023{189417FC-2B1C-618E-B601-000000000602}44245572C:\Windows\system32\cmd.exe{189417FC-2B7A-618E-C501-000000000602}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160907Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:14.025{189417FC-2B7A-618E-C501-000000000602}6116C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.execsc.exe /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\djymreij.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Windows\Microsoft.NET\Framework\v4.0.30319" 23542300x8000000000000000160919Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:15.853{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7760D8FF3F2BE278D5550BD5D4CA32E9,SHA256=3F6C615C58FEE8928BAE3D2CF92EBD8B6A489C9860DD0973F1B3B6B09BA66209,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119409Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:12.726{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119408Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:15.646{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9957D088329D4A69E77F4178D1E6AE21,SHA256=FACCA5886EE085315082B16FED4EAF537CA6747C71261D4556A350AB9972D724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160918Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:15.054{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADE1D9DF9C9E16DA0242A5581DFAC18,SHA256=529A091C3099A0A1BBC355396D9157494F76535135C7BFF2C69AD2154D4E4D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160917Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:15.054{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35740A506253E610D9E1D7EE9FCCE3D,SHA256=BF18F8A258A661211795A6A333013F133CB98A24B8376CC98963ED196FEC3D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160920Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:16.884{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5B172A78165647E19CF071B981F7B,SHA256=26B3202801C5FBD741C530DBABCA92C8B9C3FD4DF1AAD7353AF38E67F86738D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119411Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:16.661{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B4A88B6F2684CD872852EC74A318D4,SHA256=1DED7FAF7DEF2F8CADAB5EBBA3A2FA4B133384D16D6014ADDC4CDEBC9F5C8F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119410Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:16.349{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160923Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:17.967{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48034614B3F6A50214A8D6EAE4DB8C65,SHA256=11FB59CF673E7C3C1AC331BFDED644100BD1ED1BCAAE3F4D07C970FC39DDA36E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119426Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:15.882{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000119425Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B7D-618E-8401-000000000702}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119424Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119423Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119422Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119421Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119420Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119419Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119418Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119417Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119416Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119415Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B7D-618E-8401-000000000702}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119414Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.786{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B7D-618E-8401-000000000702}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119413Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.787{147D18E0-2B7D-618E-8401-000000000702}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119412Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:17.677{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB4E5AB0E9E54C2E5270A77105CE5A7,SHA256=4B18F409AF4C3FCF7E180DCDB3AC30EE262AA9CE8668EF5F8B0C401E1D56B9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160922Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:17.240{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-033MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160921Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:13.176{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119440Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.958{147D18E0-2B7E-618E-8501-000000000702}1192968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160924Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:18.254{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119439Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B7E-618E-8501-000000000702}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119438Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119437Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119436Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119435Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119434Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119433Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119432Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119431Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119430Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119429Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2B7E-618E-8501-000000000702}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119428Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B7E-618E-8501-000000000702}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119427Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.552{147D18E0-2B7E-618E-8501-000000000702}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119457Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.974{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B8B129EE6EABD8311186B3078C9437,SHA256=8E59B669678B58831E75F1C358526E2E8B19E200DB1A586C519DDFE6CBCC56B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160925Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:19.000{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9276962E31D8AE94D82C68226F68B68F,SHA256=8F5FC0E75606994A7820872047C6C0E00304182DF4B6BC9D3C6223EFBEB5E519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119456Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B7F-618E-8601-000000000702}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119455Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119454Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119453Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119452Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119451Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119450Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119449Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119448Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119447Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119446Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B7F-618E-8601-000000000702}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119445Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.442{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B7F-618E-8601-000000000702}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119444Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.443{147D18E0-2B7F-618E-8601-000000000702}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119443Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.020{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B86289CC174F33A0C25B6E328E575163,SHA256=C8442EAA244FDF084F12236FF4F39056E57A55C37EE084D9A614F16E4554B2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119442Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.020{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A60F2E2D6E0AABF468D24DE2FC46B9,SHA256=E0EDEC64F9C98BCB698F9935A03CA484039AAFD14B05F1D931253E73CA975A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119441Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:19.005{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7549DBD9668B536CEF39D2A9AAD0AE,SHA256=351EF29358833193F07FC1E16D7ABF71BB8A9AECC8875685422C1686F6EF8D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160926Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:20.166{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EE4899A46B542391E757A3D5157C8E,SHA256=5A9D4F3F416A11480A02BDFF138289429410306CE7C2ACCED2A63661C874296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119458Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:20.505{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B86289CC174F33A0C25B6E328E575163,SHA256=C8442EAA244FDF084F12236FF4F39056E57A55C37EE084D9A614F16E4554B2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160927Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:21.199{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADB6258579A9036AB85CC42E92C38D1,SHA256=6746012CC98BAD463701E37D69A6B5269FE3D3A595877521EADDDB251DF85397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119486Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B81-618E-8801-000000000702}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119485Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119484Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119483Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119482Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119481Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119480Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119479Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119478Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119477Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119476Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B81-618E-8801-000000000702}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119475Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.833{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B81-618E-8801-000000000702}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119474Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.834{147D18E0-2B81-618E-8801-000000000702}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119473Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.333{147D18E0-2B81-618E-8701-000000000702}23282556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119472Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B81-618E-8701-000000000702}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119471Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119470Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119469Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119468Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119467Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119466Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119465Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119464Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119463Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119462Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B81-618E-8701-000000000702}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119461Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.145{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B81-618E-8701-000000000702}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119460Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.146{147D18E0-2B81-618E-8701-000000000702}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119459Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:21.083{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D583C42929BA30D21BC8A805273F53D3,SHA256=A2665FFF1B591367E343F8E34E2F5377AA12A44FB1E88CABAB12C6E5BD176B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119504Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.552{147D18E0-2B82-618E-8901-000000000702}20882608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119503Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B82-618E-8901-000000000702}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119502Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119501Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119500Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119499Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119498Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119497Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119496Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119495Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119494Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119493Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2B82-618E-8901-000000000702}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119492Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.395{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B82-618E-8901-000000000702}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119491Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.396{147D18E0-2B82-618E-8901-000000000702}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119490Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.380{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CEFE5DB89A827F4CACDABFBF8EEB95,SHA256=9980204CF97F062D7DCC5377575455D14650DBC797A5417617DFB52E6687C7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119489Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.302{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D774FD059C337D48DFE7C33E384425AF,SHA256=3A1E32E9667913CFC8A0C04586249BB9143B87BED046CFF3AF58BEDC45A5D37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160929Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:22.233{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FCA1BB210D3004A733E4C490B6F5B,SHA256=D79A141D1DAE63D831230AF8E80363E2C9C87C916C4DF22C12371527D485A830,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160928Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:19.172{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000119488Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:22.020{147D18E0-2B81-618E-8801-000000000702}9523476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119487Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:18.632{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119506Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:23.645{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80FCB00AAAC9D66F4CC74F388CDCC8DE,SHA256=1DB38C0FEFC26A532C7297A91A143508501B588DE634D55197D238A52D3BDDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119505Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:23.395{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE082182DE445EEE0F8585869A1E3D3F,SHA256=1DF9A0307F8376B32455893E853A176FD2EBAB9F1175AEAFFF5419ECFACCC95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160931Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:23.516{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160930Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:23.248{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98AFF700DED4ED2B43C96E963E09CBE,SHA256=42AAC117A6BA2CB99BEAE3D48DAD14051959E04848D0BEE37F179B81D40F05EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119520Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.505{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74EE8644F02BD4137420472E581C60A,SHA256=0516C748B2567CD8444F2C835EA7EF71A83E7ABB9F40F5F469F36921744FB5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160932Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:24.300{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8CC89D4020C312B210FBDA6793FFA7,SHA256=ECEC6AA00AB3909051C42891A62178D8AEF14E4B373CB881D1E8117575AC45F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119519Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2B84-618E-8A01-000000000702}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119518Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119517Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119516Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119515Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119514Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119513Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119512Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119511Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119510Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119509Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2B84-618E-8A01-000000000702}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119508Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2B84-618E-8A01-000000000702}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119507Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.255{147D18E0-2B84-618E-8A01-000000000702}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119522Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:25.567{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A29F8A9F0145122A8237471E91DE93D,SHA256=9F6E58A2F56161845CCA201514C639FAE809682EF4093CE46B0602418CCD6663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160934Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:25.615{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9A1ADF49070872C08D6CE03DB90106EB,SHA256=5CDDD61A673AE3782BEB7CE16E0306887FE1769A1E8CE0BFB717036CDB302F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160933Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:25.331{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB7838A6D1D937736C542615C48DBCC,SHA256=F59591E2A463B0D340CDF9DD832E22418B28F505DDEC11A6D422FAB685C6976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119521Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:25.473{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B27D07B2E1F92F8E5EB76521C863774,SHA256=C538E239789F3FABBDB95BE6B1334803D7E0F8A57518965F21559CAD6FB44FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119523Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:26.598{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA14CDA1F6B3F26540473B773DD81FC,SHA256=12AD46DFB208E28F981F5FAA48BFEC646B829E74EC4B0F816649BEAFCE5D0D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160936Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:26.377{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98980AD16C8A579F7167C0F324F77DC6,SHA256=1AFFB9295C387A8E4187BE68359A308BB9C93188F64E4FD42CAC85AC94A58012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160935Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:22.516{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000160937Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:27.396{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9C414B4F53D03F1FFBF75B06AEE0A8,SHA256=36BF64279BE046A2EDCFB623DE48A5DCE9F336F36AB56B594D212883AF4B67FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119525Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:27.661{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF7EDD79E6BD2DD5EA5B84BD1F471A1,SHA256=63FE9C86FE6368EE9451A5E0CBC398CAD772AB97EEEC446BE9B4E5E34468A632,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119524Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:24.648{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119526Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:28.677{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2216CAC7D9FA38A35EC4C985FC1D91F0,SHA256=40D7584B31AEC1DFADCB7E3A63A78D55F21B8ADC65D22391CB73CF74BBA35179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160939Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:28.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC299DD9594D9260C045AF9F0B9A39A,SHA256=C4CEFC484C5A0B35D15BADC1B1ACF48896342052A4A4C18F24D7466721EA1817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160938Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:25.137{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119527Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:29.692{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A40B378F8D72366E12D4BE7BD8B4ECB,SHA256=BE527C3C4BDCD0F399CB834A4CA673B4EF94DA5D2E10868C09CC1D9B73E8B2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160944Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:29.561{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BF5DD9418E5DC4AC843A961F7232EF,SHA256=F1090F2725FA926EC7512B6E5C78C9BABFBCF53298F13D69A5C8FD0A22D0A54E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160943Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:26.184{189417FC-2351-618E-3F00-000000000602}3336C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58779-false169.254.169.254-80http 354300x8000000000000000160942Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:26.112{189417FC-2351-618E-3F00-000000000602}3336C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58778-false169.254.169.254-80http 354300x8000000000000000160941Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:26.053{189417FC-2351-618E-3F00-000000000602}3336C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58777-false169.254.169.254-80http 354300x8000000000000000160940Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:26.052{189417FC-2351-618E-3F00-000000000602}3336C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58776-false169.254.169.254-80http 23542300x8000000000000000119528Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:30.786{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DAAEF5EA5F4F4A990776DDB0566EEE,SHA256=8844DBBF83CABFA16C1758A499C368AB5C3403DDBB5DA474B9FA694ADCBFD9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160945Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:30.660{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E241D954BB95230324A4A94A202CC649,SHA256=C92547A89A6C3BF273877B7B0B65773C0E353FD69CEFC7710634DEDE89EF5C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160946Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:31.760{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA623D71FBDF610738AE8F5B4BF7F8E7,SHA256=70398EED25D228E7A90FD68BB7FD397CE2CFEBFF4B6454EB9D3907C306853E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119529Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:31.801{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AE992E6FE464BA922D19B698CC5C29,SHA256=0F47D031A922B4C81A5F7021F79615E44DBC7239C1677F645CE38F990B562CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160948Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:32.763{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF02F4927424D3422D4B9483AAD39625,SHA256=4406724D1BE5817C8E2646F4F11DE409526B332F4A766C3ADEABC971BADC371D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119531Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:32.817{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F632D2CF87AAF288DDF47830AE0F1EF,SHA256=6A4E6609065385E5D91A903DBE05756F176E0E855FF898C120B3DFB2F12FC6BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160947Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:30.266{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119530Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:30.663{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160949Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:33.778{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA872E75901056F1BBE38834B78450B,SHA256=593185DDD84132B1544CC4708239E0DB03EB05EBD60E466D42239C4091AD979F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119532Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:33.817{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0562650F1258683E7A536A043921974,SHA256=7461FB034D5FD03A086375547BA33AB7028726CF5AB1A829D30CCB5D3F6530AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160957Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614DA93887BD9089261E6A7ABFF8ED40,SHA256=0B45BC38184DF2C473F43D6ACC8E6A85060EA1BA1332471EDD5651186C956B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119533Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:34.833{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8BB39E476BA706BE3671E328260DED,SHA256=DE02333FB84CD0F34C68C2FD0E71A58176B7E894293205B4B80C0BD5BEE542C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160956Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160955Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160954Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160953Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160952Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160951Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160950Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:34.615{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160958Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:35.961{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E05FBA1FC3BDDDA0040175F3D92F7E,SHA256=74C8D80F0058E15477B3FF7639F6BFB0BC66FAC7276021F1A96A58043D791107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119534Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:35.833{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB040491060C8C060F7D7DFF4D6E9A5F,SHA256=F59879DF5B75567367D0A5242B879144510B8CA6DF4E20E608572686ECF7E846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119535Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:36.848{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519CB25515B888FB6D4EC3745AFD6985,SHA256=F00BB234FDA209FCF48EA961CD63CCE3FAEDB32EDBA529D747FF8C908652E62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160967Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.962{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083C65F16E53BA86A0FBF6480A74E8A8,SHA256=D33479DE3DC31ECC8FA8DA959DB67D816910CE81EFBD9158009E1EE8C5745F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160966Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B90-618E-C601-000000000602}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160965Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160964Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160963Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160962Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160961Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B90-618E-C601-000000000602}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160960Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.931{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B90-618E-C601-000000000602}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160959Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.932{189417FC-2B90-618E-C601-000000000602}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119536Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:37.848{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5031D650D34CCE6F90DD007B36994BA8,SHA256=478C278CAA4F4208BB57215293FA1937A42FC3AAEFF928C744258D743D7B1725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160979Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.979{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01ED4FF7EDCC7854AF50BCE29F976E,SHA256=AE1B7C8EFBC9609899D7DB57FA95EDD83082F79524B51D69AC746ADB1BC529A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160978Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.948{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=482C26649D7FD013EC6B3E58BA09D32A,SHA256=1E2992FE4EEDED30FCEAD63EFCEC50780A4E2B7DF98E31309AD80467FB35724D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160977Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.948{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EADE1D9DF9C9E16DA0242A5581DFAC18,SHA256=529A091C3099A0A1BBC355396D9157494F76535135C7BFF2C69AD2154D4E4D15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160976Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.832{189417FC-2B91-618E-C701-000000000602}51725412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160975Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.599{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B91-618E-C701-000000000602}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160974Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.597{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160973Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.596{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160972Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.596{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160971Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.596{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160970Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.596{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B91-618E-C701-000000000602}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160969Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.595{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B91-618E-C701-000000000602}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160968Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:37.595{189417FC-2B91-618E-C701-000000000602}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119538Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:38.848{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B1F307866392FA3D6E917C0E7A87CF,SHA256=577510058B3FAABA91ED1660BA4102340835F056CC45C1F466F4409B122DF518,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119537Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:36.663{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160988Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.118{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000160987Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B92-618E-C801-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160986Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160985Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160984Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160983Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160982Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B92-618E-C801-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000160981Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.263{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B92-618E-C801-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000160980Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:38.264{189417FC-2B92-618E-C801-000000000602}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119539Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:39.848{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2084ABAE21D9D9EB1492052CFCB0D0,SHA256=C556BB0B9C624E76CB633516D44DDC8D45F5B72D6A1C129CF4A09C9E0CFB9CAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160997Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160996Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160995Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160994Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160993Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160992Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160991Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.458{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000160990Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.286{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=482C26649D7FD013EC6B3E58BA09D32A,SHA256=1E2992FE4EEDED30FCEAD63EFCEC50780A4E2B7DF98E31309AD80467FB35724D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160989Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.018{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9A97B9B8E35553E3E23F2238BE6FF7,SHA256=F043CCA88376B74AB5F1DDDCA335599E9D2D508E513E1940EE71F92F7A422C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119540Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:40.864{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152E73B2ACCAD6EA9BFD38FCD54F2CEE,SHA256=04FC2C6C17F0E85BA43929E30C845BFEB6F3AF9FDBA8AAA60BF16FE8F546E1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161012Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.741{189417FC-2B94-618E-C901-000000000602}54925944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000161011Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:53:40.442{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000161010Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:53:40.421{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Config SourceDWORD (0x00000001) 13241300x8000000000000000161009Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:53:40.421{189417FC-234F-618E-2900-000000000602}2792C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5BC8AA72-1F28-4E14-BC80-83159E61745C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5BC8AA72-1F28-4E14-BC80-83159E61745C.XML 10341000x8000000000000000161008Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B94-618E-C901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161007Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161006Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161005Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161004Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161003Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2B94-618E-C901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161002Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.389{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B94-618E-C901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161001Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.390{189417FC-2B94-618E-C901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161000Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:40.020{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4BF0E19349C47FE84BD58764F5740D,SHA256=C23BDC997ACEDEEA5E86D45BF26054E2C1996D8CEE1B7A52DB1A0CE541B2B30C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160999Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.869{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58782-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000160998Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:36.869{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58782-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000119541Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:41.864{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C537B1F3447B90C7A7FD723EFF95949,SHA256=6E9EEDA5AE6997DF91EE14F9676970B991D6142CFEBFD83AA6FCF139A44B1BCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161037Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.941{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B95-618E-CB01-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161036Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.938{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161035Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.938{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161034Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.938{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161033Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.938{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161032Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.938{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2B95-618E-CB01-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161031Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.937{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B95-618E-CB01-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161030Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.937{189417FC-2B95-618E-CB01-000000000602}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161029Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.481{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58785-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000161028Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.480{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58785-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000161027Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.465{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58784-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000161026Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.465{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58784-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000161025Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.429{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58783-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000161024Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:39.429{189417FC-234F-618E-2900-000000000602}2792C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58783-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 10341000x8000000000000000161023Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.489{189417FC-2B95-618E-CA01-000000000602}55565428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161022Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.389{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C1AAADFD9F3BCF10EC1CC2BEC152268,SHA256=019523A5819280B7EFA1B8AE25CC380069116D1FBA916059D3B3173B511F5A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161021Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B95-618E-CA01-000000000602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161020Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161019Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161018Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161017Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161016Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B95-618E-CA01-000000000602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161015Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.274{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B95-618E-CA01-000000000602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161014Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.275{189417FC-2B95-618E-CA01-000000000602}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161013Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5140A709E0C20C8AE1CAF6D6968206,SHA256=8EC2D07F71B09C5C14D32E6B439CDED32FA8F9DD604EAA64D041A9ECF69F2234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119542Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:42.864{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594CCE8F4AFEE2D98FB87E17C3113C9D,SHA256=611BCB2797B7FF062974AA45BCE67ECB2DFB4CB261E01D870D867DD809A52811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161040Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:42.960{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC28892A79FE590DB3DF7830D76882AC,SHA256=E5D928EAAC8BE7A63E7E792723546BA3A763153700D07756F274F0D9F25CABD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161039Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:42.158{189417FC-2B95-618E-CB01-000000000602}60925508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161038Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:42.074{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9950F5B69285F6CC9C0CB03D7C4D7BF,SHA256=AAE14BF8562997C64F479416D9492BFB4779EBC4175E1503B40FABA2F99CCE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119543Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:43.879{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F69DAF89E2F3A3D44C224299BF114B9,SHA256=11149A337EF352A3D6944C70939AB5D33EFFA7F58EE5D6FF60D25B9486017CEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161089Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:41.227{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000161088Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161087Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161086Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161085Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161084Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161083Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161082Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161081Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161080Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161079Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161078Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161077Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161076Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161075Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161074Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161073Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161072Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161071Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161070Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161069Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161068Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161067Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161066Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161065Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161064Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161063Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161062Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161061Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161060Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161059Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161058Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161057Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161056Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161055Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161054Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161053Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161052Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161051Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161050Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.492{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161049Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2B97-618E-CC01-000000000602}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161048Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161047Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161046Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161045Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161044Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2B97-618E-CC01-000000000602}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161043Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.391{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2B97-618E-CC01-000000000602}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161042Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.392{189417FC-2B97-618E-CC01-000000000602}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161041Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:43.107{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF10D3EBEB4C0900364646B1D3819F78,SHA256=4E5C1246DF8906767B12DC7261C79B9B9E37E623A296533F85CD12B78185BC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119544Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:44.895{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C22D748DD3FFB4F017C4AAC4E4E3DA3,SHA256=85C5608F3415F45DC281EED9584C62CDD4770B983F1DE9FC75820A7DCB121775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161091Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:44.422{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4F3A4CABCC15512F854EF7CA586328F,SHA256=28DB8FFC2F13BE7837F10E8324527454CF4F6E12B8E6E136C83BD49D7BB34BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161090Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:44.259{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC5671CD416677DC04DA321F81BCB10,SHA256=426739E51E725BADBE00EA0718FDB1171D1ABEF4B620F66D4732D17FAA21BB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119546Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:45.911{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE710278447620E816B44DEFF8F4B832,SHA256=F0814F6C202C412E9DAF3FADA6FE4495B0B84FA44B351F6BF9322A7134C520BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161092Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:45.290{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E083344B1E12C1052E4FF2B6BA7C9B75,SHA256=EE1BD402BD73A8DAEEE751A2F933F523150E5EDE792D9DF36905EDC1BE193DAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119545Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:42.679{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119547Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:46.911{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C665A57A3F7E9407501184EA8DA66A6A,SHA256=3B91E82D465E2A6452A9AC87CD82617926BB4A14DFC192020675042F4F68C5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161093Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:46.291{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890EDE2459A70E91D30175D14C02DEBA,SHA256=23E61F36FD2611A87C62F26F9E01427BF49B5EB8E5DE148735A52C68A19CB280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119548Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:47.926{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A192674FF7FE76AEA2ADC6E2EA400A0,SHA256=FE3B3D632AAA08FEA6A4AE3E18A33662E1D372509D2DA2A28FFD138C5B662706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161094Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:47.292{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1071284044A7F6DB6E7413FC5F1121B,SHA256=3EBEA97A5E98860479484BA5B3BE8418BFFAF81A3FC59F2BD2C1D9971F24FD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119549Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:48.942{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5450600D47879C0FCB644960EE02F7AD,SHA256=E354A2974DF63DD7A294BD4EFC453D763FB510CA9D749740B74D13C6910039FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161095Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:48.323{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D642F33BD191D3959F886AC30E17EDB,SHA256=A165D6C04E2F33B834D65DBC33CDE109D7D97AFAE87B9A059D607CF5B8A3F140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119550Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:49.957{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2713B1FCB2FE96F0065AB239D34FF6F8,SHA256=9175E395B7BB21793C6C2CF3C031B7D9BF1B68B476FE7B5A13D637A22206B0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161097Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.392{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAE3B71FAB2B7C55CA1194D44D89B58,SHA256=2A7F9BD5973D4041DBE679FC26D7DF0DB4F57DF81F3D7E679C22BD7C964CEF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161096Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.392{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=29FA22A062E0FF8FAC876980A1EEF99B,SHA256=3A5C69E7E949BE4ACB9644D55A881BE3769A73D463E9F0317A4507DD710DBBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119551Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:50.957{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0A3D4AAEA53C16F67BA0CF3184D4C3,SHA256=08240A597B10E2070DC56704A8AD6D3922E3B14878312C1E284134C8C6288235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161100Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:50.423{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EDBB28243FFFF32AE173358841D512,SHA256=D10F7EAD22B6E4D098981886CC64FD68250104C21EF11C72E45CBB588180D4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161099Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:50.207{189417FC-233D-618E-0B00-000000000602}640680C:\Windows\system32\lsass.exe{189417FC-2339-618E-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000161098Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:47.145{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119553Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:51.973{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D55B5F752166B4653F669A871D49BC,SHA256=A62B255781B774473500A3C3008307D9F5B7763EEC4B8DA7EB600233EAC1E7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161103Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:51.491{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335C9DC67F9DDF44AE6C3B66EBE2CFCB,SHA256=CD5C793F02898BDD842C6690ADEACFE30C6F6BAEE3359ED4F6C53D1D9B367B0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119552Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:48.617{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161102Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:51.122{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B152AF37B04AD314BACC2C92EE590D,SHA256=5E5E3424E521A729186F9553BFCDCB61F5F7BE79CEC0D14545DC863B252FD2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161101Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:51.122{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D1F7733DA1DEBAAC54360882CDD375A,SHA256=5303EAB0C3423B6807D374E88C15DE21E315FF243F7C7F6BC17A01995044FE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119554Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:52.973{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BF1C45CE79A8B0B383943F59EACCAE,SHA256=D06D474DBA1BFD25E5FAFE4DEA0A72FC727066398418D5085803759F0DC0AB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161110Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:52.591{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57190D9EBFD72B50AE17659872F626C1,SHA256=09073C51249AA5039FD92D10A1C19EA1DBE769850FA5348BE5BA1F107C81C586,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161109Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.235{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58790-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000161108Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.235{189417FC-2339-618E-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58790-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local445microsoft-ds 354300x8000000000000000161107Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.142{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-362.attackrange.local58789-false10.0.1.14win-dc-362.attackrange.local389ldap 354300x8000000000000000161106Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.142{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58789-false10.0.1.14win-dc-362.attackrange.local389ldap 354300x8000000000000000161105Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.133{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58788-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 354300x8000000000000000161104Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:49.132{189417FC-233F-618E-1600-000000000602}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58788-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local389ldap 23542300x8000000000000000119555Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:53.973{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AEEBD98F0792935896C1A41F0B38A0,SHA256=72CEFF492F0F43B2F8AA01D837BC42AFD210BEADC0D0E313252816FD621C8E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161111Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.592{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E21C4C21519A0DDBF64DC4DFC03FA9,SHA256=76CCCC6325AF8FCE987B8DF99DE40E021C1BC020942D761AE98E23EDA1977C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119556Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:54.989{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7E35C2A447AD87618D319E21B6B288,SHA256=312AFCCD8B2D764E5DD1CA68138825E52220C60667A00C65655C80A25194975B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161115Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:54.623{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EAE721B27CAB61CF4E92CFA763AB2F,SHA256=5B68E1C41EF0C9A50C436A4CE4E8461D93392A6ED5B1B2402E09D32AF3B66E7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161114Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:54.592{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000161113Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:54.592{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161112Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:54.592{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF20db70.TMPMD5=EAE1A877F1E70EC6E8A1C36B90B5FD06,SHA256=37A035AE6A66F2C57D61F6A22DEF6393BBEDA1F046CDEB7E66F00B2E3F5ED69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161118Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.722{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B152AF37B04AD314BACC2C92EE590D,SHA256=5E5E3424E521A729186F9553BFCDCB61F5F7BE79CEC0D14545DC863B252FD2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161117Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.659{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9930FA19A0008C81DD7304A00C8A0208,SHA256=F1B0402063FEAD04AC03250DB522B759E1032C8A91D5BA84FD27E209A51DD4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119557Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:53.773{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000161116Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:52.262{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161127Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:56.721{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AD1844F4E41F43C40C9E0E4088A73C,SHA256=DECB5981878061796FCA7F319E492EE79F39F313AB62F648157A5D1381525B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119558Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:56.004{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E1A4F3F620C303F69F8DF599C96D09,SHA256=7A2BA866BEDD51D8C5363D3905C5EC4A998A62738D8E5CF74A42AD2693C62119,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161126Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.724{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local63249- 354300x8000000000000000161125Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.724{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-362.attackrange.local63249-false10.0.1.14win-dc-362.attackrange.local53domain 354300x8000000000000000161124Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.723{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49659- 354300x8000000000000000161123Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.723{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49659-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domain 354300x8000000000000000161122Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.715{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58793-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000161121Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.715{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58793-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local49666- 354300x8000000000000000161120Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.714{189417FC-233F-618E-0D00-000000000602}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58792-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000161119Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:53.714{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local58792-truefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local135epmap 354300x8000000000000000161137Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.824{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local65286- 354300x8000000000000000161136Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.822{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53045- 354300x8000000000000000161135Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.822{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55391- 354300x8000000000000000161134Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.819{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local58018- 354300x8000000000000000161133Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.818{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50777- 354300x8000000000000000161132Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.815{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local55360- 354300x8000000000000000161131Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.814{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50137- 354300x8000000000000000161130Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.813{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local50053- 354300x8000000000000000161129Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.810{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local56748- 23542300x8000000000000000161128Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:57.739{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CAD88DB06FFD3DEE494CDFAB40514,SHA256=050A655C786A6077EA9483375B729A6C972D9EF9B0BF411656BA06E5FA8CA5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119559Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:57.020{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790604101D8AC86FD822E4234D53B77B,SHA256=FA81C1B1F8886F6E140A5D508D82180F78648C900E61B6BEDAB8A9BD711E955C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119560Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:58.035{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8476458C38A0D5A30859754CB861681,SHA256=3098E4E5195677C996D3C4A497E48FC18E52B9D80189D42C7BBC6C842CF6A938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161160Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.890{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56777- 354300x8000000000000000161159Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.887{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local53704- 354300x8000000000000000161158Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.885{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local54410- 354300x8000000000000000161157Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.881{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local52658- 354300x8000000000000000161156Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.880{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50519- 354300x8000000000000000161155Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.875{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local54331- 354300x8000000000000000161154Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.874{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55367- 354300x8000000000000000161153Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.872{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local53711- 354300x8000000000000000161152Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.867{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local65534- 354300x8000000000000000161151Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.865{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53860- 354300x8000000000000000161150Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.860{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local57390- 354300x8000000000000000161149Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.859{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55331- 354300x8000000000000000161148Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.858{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local53362- 354300x8000000000000000161147Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.856{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58095- 354300x8000000000000000161146Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.850{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local63858- 354300x8000000000000000161145Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.844{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57149- 354300x8000000000000000161144Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.843{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local53719- 354300x8000000000000000161143Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.840{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56512- 354300x8000000000000000161142Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.838{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local49670- 354300x8000000000000000161141Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.835{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51507- 354300x8000000000000000161140Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.831{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local63424- 354300x8000000000000000161139Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.829{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local55484- 354300x8000000000000000161138Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.827{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local51396- 23542300x8000000000000000161167Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:59.420{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=31B0CE354C1EB54F904D9EB3179E41C9,SHA256=840985E10A0260C3C586F6A6ACDEDA1798C1B28C86D0F1B1B509F4E4A6FBA234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161166Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.913{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local49989- 354300x8000000000000000161165Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.908{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local50401- 354300x8000000000000000161164Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.906{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local52200- 354300x8000000000000000161163Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.905{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65391- 354300x8000000000000000161162Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:55.901{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-362.attackrange.local53domainfalse10.0.1.14win-dc-362.attackrange.local57144- 23542300x8000000000000000161161Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:59.089{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC40E3FCBE949EFB400B2030AE2684,SHA256=9E6B4802F4DB1A3AEF235A87F6BA2A475E5804460E90329F5D9B780269B67208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119561Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:59.067{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391344FCF70E127B373EC287BE408BF6,SHA256=067F89C82673A289F0C8CDE945783059335A7263C35BF5B3720292C83C53F81D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161169Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:53:58.110{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161168Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:00.121{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEA6E84063F27649FF26508157F9C70,SHA256=C305FB42D2DABC8F3C87B7D86ABB4FDCEE02AE1BDC2A22FE7F9887C5C7351317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119563Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:00.075{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4497AE40B01C8D641F9FECE0CACA0D4,SHA256=AC0C39B564D6347B2303BE0C92FCF3FCC740C5521992BCF353F4ABBFFDAEB98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119562Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:00.070{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-034MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161172Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:01.972{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A1DF29CAB36746AEB4D71D389752D4,SHA256=1CA17520747B5C5157F4893E52A6A2C6A139246109A8BD8C75A1F657A2EE8079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161171Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:01.972{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDFF6384C127731E2B2D646E66D1DA5C,SHA256=6DBDF024FDB284FA07F1E80C7701749EA879B904E77CA2A29AFA11E2F93323A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161170Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:01.157{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABEB01A54D719044ABB4066C53AD3FC,SHA256=86168BA8574664754C408ADA083EB2D8C79B286D45EEB8D754EFBE48C2D087FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119565Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:01.079{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEC8EE32F12B6C5A7F6700F3A02FBC5,SHA256=2CD7F3FCA62E1CF76960EFA4ECB8C9EE2E8AE2D47743A1BB8509D461BED138C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119564Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:01.068{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161173Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:02.188{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC2680518A1CBD9BC143AB1C440451E,SHA256=B5FB30155C060D6555E461391536CB10FCFC89E7DE3AD7BF3E3D063197B0E6A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119567Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:53:59.664{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119566Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:02.223{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90CD4885F86B93BCC47FEAF59F32ECF,SHA256=6542DA22C6F6F9320FE868D6F6DB2CEA0B7E1D40ABCE41E15407C63DD9441FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119568Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:03.239{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46B876BE2EECBD8CFCB570D255A6346,SHA256=C1E790A3138EDD17D2E2DAF7714498862C7766D6FB40F898A8183A4BB5A479FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161174Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:03.203{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BCF2C5DE5F08D8E09B35691A01DF38,SHA256=2836688F403E5FE118A25AD853119E0912F99EE2ADE2002852B9295B03CB14FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119569Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:04.286{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07B42A22CB5C605E61370411A30970D,SHA256=232C3968C17D0BF230BB06DB1FB64BE0822DE099700038794DE13436642BA00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161176Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:04.406{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=D2D4EA85476F315CA8FD7E0F850858A1,SHA256=3A20904DA24EE767B1D9E961D1ADA0B375D5B002A32F430EE8E2C04704DB1059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161175Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:04.222{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6969E2F84715816F127FA4B3CAB38D19,SHA256=C6CD5096C001234EEE035360BA82B64D61363DEF26B10781864BAF12387EA100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119571Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:05.645{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD5B06318BC27ACDA4153982B2DE95D9,SHA256=8B9196FE7D1D39EC079C3E51578AD201F2847BD37FAC80E6349DD579266CC776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119570Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:05.317{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468AD1B15C8E9330AEBE24841609E554,SHA256=417454A95657DCCFAE094FF7CE90E9C6EB14201493DFEFD6362A63E890AFE3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161177Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:05.260{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C73067F487C94B785D2BEFE2EAE434,SHA256=CE1DB5AD3E1F99027E97D8ECD52EBD3D7E8B1E55EF64DCCFD62D1FADB55A58F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161179Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:03.228{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161178Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:06.263{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A772F773A1E29367DC2E8DC5A0C284,SHA256=55B7077AAA3B2272022C1E8E4BCD68A80DDA34C040F88E7FF4490F70AF55ACA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119572Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:06.473{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1183D758DFF180BA29C028724F765ECB,SHA256=6FD55943EFB05C7A4285BEABC1D4AC97F6ED35BF5BF5000A314D3087B1B31E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119574Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:07.489{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F299E549A5842B5B330E23E260BD5C,SHA256=BCCD47BB4EF42D67B0EFB66CBD3A349946C6246A25FFAB3F40D6B03CDB19BA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161180Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:07.493{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F3A6434F7182CFA86E5FC08F5101F0,SHA256=EF5C5ADCEC7A869600BE433BED00AD832CA1AB71668D90C21DFC558664C734DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119573Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:04.757{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119575Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:08.567{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E79DF39EEA3E36744010AE5EDD89413,SHA256=BFDB149622A00EE3BBCB9F372D76E2A5A6B5553580018B416332E64C2248029F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161182Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:08.741{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=14BF049B44A80CD2B17244E3BCCCD215,SHA256=595589FABC25BDC17518FAE6AE86FE148956B8B97B55ABE43790C510136D7FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161181Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:08.542{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF06222CB36F253A81532A255C5FC61,SHA256=02ABDEAFB3A4AF370EDB11480EF506BB2F827B0BD90011A60BA51911CEF26152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119576Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:09.692{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455F790886DC6F4170E327B190B1D36E,SHA256=709DBF0BB496BD91D6C358C4C3FA1FA2C5F01C593D94EA8E1D0B936E60DD69CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161190Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.623{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E019D0083E222420C583291ACDFCDED,SHA256=E1309678B858A035202B72AF22FA7AAE6ABCBCCC0B799953ABFA137BD9A6990B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161189Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161188Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161187Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B601-000000000602}4424C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161186Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161185Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161184Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161183Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.361{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2B1C-618E-B701-000000000602}4072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119577Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:10.723{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8162E24FE4FE0E148BAD0C3A4B7D8076,SHA256=30857E745ABF6EC303370F30EDBE36E966C6E004C08FC18C2EBE4308BC933051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161191Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:10.641{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C72E4D9EAB6B20AD74F06F30A0E787,SHA256=E4BEEE165137DD54582CAB45080C772FDE4DBE073FE4D873C6A3D26BD8C2CF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119578Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:11.864{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3855E1B7E3F24F2CF10A48C29B11D88,SHA256=80B23D95FC68C3F62DE8B35CBCA71E584FBFB9164D169F374B395833BF863766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161199Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.706{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F38BC9395F4566A64B59E119C6BD8A,SHA256=3C8851A1D9118D8ABDC1149D139222489FE4658881BED5BA8B78896EA67A8529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161198Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.490{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161197Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.490{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161196Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.490{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161195Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.475{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161194Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.475{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161193Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.475{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161192Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:11.475{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119580Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:12.895{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3A2FF2D011826FFF7E396238676C2C,SHA256=F8437C119EAAA82AF6170798FF70B3D71C9C0545CE51E9B51F8AE08C4EA54294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161201Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:12.790{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EF4E19EF238E2D82529AEADB1BE7B5,SHA256=70C3A79986300F704D44471714F8B97B390CDDDAFE71A0725BBEE5368B33BB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161200Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:09.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58796-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119579Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:09.773{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119581Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:13.911{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A297BC34647A6A073F5A09474F436546,SHA256=E004EFA7171038D90CDE6867DE6F7B50803B777037A5FCBED67A35F16E7EC77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161202Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:13.805{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF590E94ACA8AB7E48AF13D5E3DA5C5D,SHA256=84DE425EDDB764180E491937CC3667CED088ECEC7C8FF1787193E4289EBD8815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119582Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:14.942{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0261C7BE916E50349DE3E2E3201C073,SHA256=223F9CE3BEE1C977A999A453BC350710087EEF7FAC6D0E9E349D8797FBF96812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161213Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.806{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A411667934D6037286F71BF60DB2FC9B,SHA256=9AA48F6155C2F94F8585AC82D0F3FF1462161FEF4159CD97CF1573FED4CE8C4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161212Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.521{189417FC-233F-618E-1600-000000000602}12522132C:\Windows\system32\svchost.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161211Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.521{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161210Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161209Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161208Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161207Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161206Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161205Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161204Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.389{189417FC-2AAA-618E-9E01-000000000602}6484524C:\Windows\system32\cmd.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161203Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.398{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe10.0.14393.0 (rs1_release.160715-1616)Run As UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationRUNAS.EXE"C:\Windows\System32\runas.exe" /user:administrator "C:\Temp\malware.exe"C:\Temp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=04A3526D77C0C4622517F6E848A3D1E2,SHA256=06DD3C38BF47D2FAAEDDEBC27C3A1EB1D329F0E8664E0D0308B06F6214DDCA96,IMPHASH=89758AD95FE7510ED40C5D4DD1BFE503{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000119583Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:15.973{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7A6ADA29E24191ADAEEA607616957E,SHA256=52ED2FE9B6575992F8494DC21354A7DC809359BC4AB0BAD5F3281676F00861EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161216Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:15.821{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3AE8C6AB48526DAE84D05F423EC6AB,SHA256=42604D2D58C0B5FCF4D4F85118558A13053A08D7949F648DC93522706011B60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161215Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:15.421{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBF8ECBBC2FAA47D0BFF0E96482F73D,SHA256=C36201B01AB3828D40270B96D9A11CEE14919BD461C8C685228FE11BD3A55B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161214Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:15.421{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A1DF29CAB36746AEB4D71D389752D4,SHA256=1CA17520747B5C5157F4893E52A6A2C6A139246109A8BD8C75A1F657A2EE8079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119586Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:16.989{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F248C554EC8A1AA81BD15C68A85E5E50,SHA256=61AEF0BA0D05D19C1846C721668C19E49C2F3B8CE20F140D97442A195B862014,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161219Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:14.196{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58797-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161218Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:16.843{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6381EB3D427FE600A85703A8CFE75008,SHA256=8F2183DD24624C0CF969F01016E907802AAE2ADEAD9E7855A782249048DC95FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119585Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:14.790{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119584Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:16.364{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161217Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:16.458{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161220Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:17.873{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62A573F43F51A70D23C9D5E5D846074,SHA256=677B654306AF29D8D6658FE8781C1F935C756EAFA9B3A65BBEFF5332BD9B42D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119599Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BB9-618E-8B01-000000000702}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119598Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119597Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119596Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119595Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119594Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119593Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119592Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119591Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119590Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119589Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2BB9-618E-8B01-000000000702}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119588Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BB9-618E-8B01-000000000702}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119587Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:17.786{147D18E0-2BB9-618E-8B01-000000000702}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161222Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:18.938{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1549F7F3CEDC829EE7F88505A26D8F9,SHA256=AD1DA80A9F6E1DC1B6550B519E32992C7326511D2A18BD714908566943A1E293,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119614Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:15.898{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000119613Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BBA-618E-8C01-000000000702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119612Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119611Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119610Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119609Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119608Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119607Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119606Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119605Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119604Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119603Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2BBA-618E-8C01-000000000702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119602Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.442{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BBA-618E-8C01-000000000702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119601Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.443{147D18E0-2BBA-618E-8C01-000000000702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119600Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:18.004{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6BC6C5DE0FBF8E752212273D5E91E3,SHA256=0CFDCD1F132A8C7ACDB88EC2DE45EABFD4DB85DAA3F87FEBD636AA890A907DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161221Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:18.775{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-034MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161225Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:19.958{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B224033FE7EA68A1EEBBAD897CC197D4,SHA256=4AE5FA543569AA346EF44BB08540CAC578B91FE334BDFBA4FDA076815A2EC0C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119631Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.223{147D18E0-2BBB-618E-8D01-000000000702}12443360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119630Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BBB-618E-8D01-000000000702}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119629Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119628Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119627Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119626Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119625Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119624Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119623Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119622Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119621Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119620Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BBB-618E-8D01-000000000702}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119619Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.051{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BBB-618E-8D01-000000000702}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119618Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.053{147D18E0-2BBB-618E-8D01-000000000702}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119617Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.036{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FEF783553B442F32BCDFD482EE9763,SHA256=5C5435D9E3EA128FAC6911590070F5DA4070594C55ECB1E76C4F11EC2EA6AB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119616Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.036{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6724017E3FC8CFA1E353A20AA0637A8C,SHA256=2A0B25BED7D363EA6CFA976FE0519638214061637BF7226702A223C759708936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119615Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:19.020{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35975E674AE7307F1C117952F004AA6,SHA256=F043BA7EBAA780AF126E119E4805315D799BDB5022F5E65CBC01719BD304A86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161224Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:19.774{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161223Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:19.489{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=D07E06D4A7AB59EE17D725909CAAD997,SHA256=95BEE496C1E56FAAF188FFF316A6CD058AD751541760CBB5F9F7364F0AB81047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119633Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:20.051{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB183592BCA17420F683323E810E2E9,SHA256=433B73E140E81507C178C92E0A21C4BCA52640CB5C95605EA9F88C17EA84898E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119632Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:20.051{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FEF783553B442F32BCDFD482EE9763,SHA256=5C5435D9E3EA128FAC6911590070F5DA4070594C55ECB1E76C4F11EC2EA6AB78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119661Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BBD-618E-8F01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119660Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119659Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119658Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119657Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119656Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119655Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119654Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119653Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119652Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119651Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2BBD-618E-8F01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119650Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BBD-618E-8F01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119649Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.833{147D18E0-2BBD-618E-8F01-000000000702}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119648Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.348{147D18E0-2BBD-618E-8E01-000000000702}39403984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119647Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BBD-618E-8E01-000000000702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119646Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119645Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119644Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119643Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119642Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119641Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119640Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119639Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119638Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119637Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BBD-618E-8E01-000000000702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119636Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BBD-618E-8E01-000000000702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119635Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.161{147D18E0-2BBD-618E-8E01-000000000702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119634Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.067{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923723961717D5946A8EDE111095A415,SHA256=89B03E878B87BD64380DEC23E314EB165A2C413D0840C958463194600FCB034A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161226Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:21.004{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E192319B3BAD9A4537281C35B7B5116,SHA256=E894E386B405DA5501363A682B73F5249D34C90A1954174FD1B07B65A7B52657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119678Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.661{147D18E0-2BBE-618E-9001-000000000702}27004056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119677Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E4F238A83B06A70F8176E57EC5DE1B,SHA256=AB7D858F9918FEC69454F05C9E0427B2D5B835691877474F51912B6842916F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119676Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B2D6A69D728BB66F5AD99081EF45ACC,SHA256=6092AEE4E6196DE67DEC108EE5AA3B3B223BC3D02093BB1F8E259D2C6C4B239E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119675Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BBE-618E-9001-000000000702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119674Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119673Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119672Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119671Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119670Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119669Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119668Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119667Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119666Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119665Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BBE-618E-9001-000000000702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119664Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.504{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BBE-618E-9001-000000000702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119663Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:22.505{147D18E0-2BBE-618E-9001-000000000702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161228Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:20.142{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58798-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161227Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:22.005{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6131C0A79F698C8F1C5E9F7F4D3D954,SHA256=BD9D968F2E682BC304B98F5A8D0B4DF68F04BD074A20BF894D5924C8FD7B931A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119662Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:21.989{147D18E0-2BBD-618E-8F01-000000000702}37082688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119681Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:23.551{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8C63D8DDFC025A9B0D3E73AC99D322,SHA256=D1ECA2671BAC84862A244A985A7B372BC316BE471F3F99E86D78F130BFF67B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119680Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:23.504{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE727623298B51E1C4F94A5F3A490E9,SHA256=F7537D2EB388BA3B579AD70A412F4EB9D21022579ABC7F0A8189E2C275020242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161235Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.590{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB3-618E-A701-000000000602}5808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161234Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.590{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A601-000000000602}5652C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161233Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.590{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A501-000000000602}5596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161232Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.590{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB2-618E-A401-000000000602}5288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161231Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.590{189417FC-2AAF-618E-A101-000000000602}43524764C:\Program Files\Mozilla Firefox\firefox.exe{189417FC-2AB1-618E-A301-000000000602}1108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b3bc1|C:\Program Files\Mozilla Firefox\xul.dll+936b9f|C:\Program Files\Mozilla Firefox\xul.dll+988076|C:\Program Files\Mozilla Firefox\xul.dll+dc7a58|C:\Program Files\Mozilla Firefox\xul.dll+21638b|C:\Program Files\Mozilla Firefox\xul.dll+7ca211|C:\Program Files\Mozilla Firefox\xul.dll+192a801|C:\Program Files\Mozilla Firefox\xul.dll+15fc82e|C:\Program Files\Mozilla Firefox\xul.dll+194fe03|C:\Program Files\Mozilla Firefox\xul.dll+928abf|C:\Program Files\Mozilla Firefox\xul.dll+25e1e|C:\Program Files\Mozilla Firefox\xul.dll+19b9f8|C:\Program Files\Mozilla Firefox\xul.dll+19a8af|C:\Program Files\Mozilla Firefox\xul.dll+40f0891|C:\Program Files\Mozilla Firefox\xul.dll+415bf65|C:\Program Files\Mozilla Firefox\xul.dll+415cd50|C:\Program Files\Mozilla Firefox\xul.dll+1e8ab23|C:\Program Files\Mozilla Firefox\firefox.exe+9e84|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161230Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.541{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161229Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:23.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43460781271926BA50E3F99A0B0E98C,SHA256=812DED95421D486B5EC78AB1C25D9D87C590339ADD226AC1494FF4E0564B7B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119679Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:20.743{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119695Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.504{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED2DF33F6FEBD2400D6E6B4518A4977,SHA256=134CF6A1D61F1EE80EEDD511BCD0AD117E6957A78CFD4D70297CF9707FE80F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161237Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:24.074{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161236Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:24.041{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5FF26D41BCCF3F88BB9F1070B8613D,SHA256=A827337904866AB98E2DCC286654E6A8C1B26D48906D79017C0D52465CB35981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119694Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BC0-618E-9101-000000000702}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119693Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119692Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119691Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119690Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119689Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119688Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119687Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119686Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119685Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119684Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BC0-618E-9101-000000000702}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119683Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.254{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BC0-618E-9101-000000000702}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119682Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:24.255{147D18E0-2BC0-618E-9101-000000000702}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119697Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:25.582{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D42DAB94B24AA22457CF30151BB762,SHA256=66E60781B97A4B7E94C8A789392F239399B85EAA375E06B64C6221FBC8783F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161238Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:25.073{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF20EA5889D26E7F05FDC1C0C898FE3,SHA256=4F5DB1EE22DC0F622BDCD02F982FB3CBA5A5D2BC9FA2029FFBCFAEE38B8EA6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119696Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:25.270{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A465D436701F97EC6152A698D89DAA,SHA256=A38D3CF0322266AE997B66C0FEBFEE3B4C56F75F2E9B68941E2E91AAEC8510AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119698Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:26.645{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8871367CA2C85BC9FD0331C5B02E2869,SHA256=9A3301425E281640D1E377804EECFAA5315DA396F442AAB9E7751065146BA617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161240Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:26.304{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749A83B1F03050D86DEEB9BBBA7F6B4B,SHA256=7BD091643526239B510B8298B08A0EA4024B8B195DD6EF138777A5DDBEC5DE4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161239Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:22.543{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58799-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119699Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:27.661{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1863A40206BB141F7F5C8EFDA9306C96,SHA256=302FE98140D75D7CF2A35548E5276F8F8B02C2CABE8E8CAAB91E1E6682DABD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161241Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:27.404{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CCB4F70461B3E22A24255BF562F93C,SHA256=DBBF840DE239BFF1DBF70397DCADF139BD8135437EC13AA7D7CD9C3FAC799F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119700Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:28.661{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C42E79FFC7CD3CF6C603400F13EB18,SHA256=2CBFAF3A2A4E3FA555700099110FA4316415FCE03BB31CC5A28182ED6CE1F58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161243Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:28.419{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18722BEBD71D6F146AE5C4267C1F4793,SHA256=DFC16F44D8AB7809666F45328978DDE03C68033C83861B2752205E8591D9D889,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161242Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:25.279{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58800-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161245Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:29.420{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E9D2F3F23D261D994F676C6C3C93E9,SHA256=B42EF7A62C67337B6642E199343E1C15AEEBBEEB187636EDA89FA20D2762E2EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119702Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:26.679{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119701Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:29.676{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384A419D0E1A5324C44D2A8D2E352263,SHA256=B34DD21E44EEFDA2302137BA67AFFBDC7157FBA8C156DDD435CD447BD8C68214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161244Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:29.258{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=1A33195C51F29CCD640CF7F8262F6B70,SHA256=E272EB4246268FB221F60D65D720DD43583ACEBEDC8C4B9737E48218491484F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119703Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:30.692{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057AA7F56FE2384A5C75A689F3F47FAB,SHA256=DF964740A394B36CD7EE593797FADE55719668B2119E31346E0B4C18D65B4F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161246Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:30.519{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554D2F3372C3402326C153B2AB157B6F,SHA256=38360B1202931F90FFF130393FC2BC711F70A8A0315077C9AB7EA2847D79A8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119704Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:31.707{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B523D5048D5123BF47CA6388870955CD,SHA256=7A31D2C40A2A63D62BD603175A650BE1D2344F2DB24518535EA982717A37D917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161247Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:31.556{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768A18E28C772634485F39AC0F9EC86D,SHA256=91AB6B1D822AAAD7C600E6313946D9EE289763976129C0C5927A52DA3BE7E792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119705Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:32.723{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8239E709DEF67E0C929A3B2062570BB2,SHA256=88DFEB67C74ED5470E778FE94D8453CBEDACE4969D7E5E149886285EAD22B16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161248Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:32.557{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975417DF5D69E093BC523C15F4A6BE6F,SHA256=C199208500E0D9234D0CF42BB131EA84637355862E4D012F2CAEF096735D086D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119706Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:33.754{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12553CA0600401D97C8B8153451066C,SHA256=AC26857B13B5EED06B5218485E5DBD3B99396F9997C1D5DC0CE866937493A8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161249Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:33.588{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21760F87485C515DF856A33773BE111B,SHA256=393FE206D9680CFEA746117B0981DF2C4D6F74DF8C5CD9F866A29240FEE37969,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119708Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:32.601{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119707Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:34.770{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AA29C5E59362E3408507766992D375,SHA256=AB42DF3F9B10969D06B280282E26E10BB0DCD521DD0C55C6063A9DAC788382BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161251Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:34.618{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1182BFD471E9548DA3711B3695F618F6,SHA256=133EB3A1E4E5F9B319E3FA9494435E8016DA98ECAD07726119B77CE4C5804B37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161250Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:31.140{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58801-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119709Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:35.801{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A837B4B4C84E57492192EC9C9A9B04,SHA256=4A6F959CBA4869586F9D28A2A579824E5A3F9F559BFEA9A4A672FB6957F04337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161253Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:35.619{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B63294008C4A7266B53D1E775D036F,SHA256=517F73A8BE9C900E45B013CDBCEAD7157ECEC97B30B7E4FCE269A3F4E89D1BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161252Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:35.588{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119710Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:36.817{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7AB37B06320B2F214024E3A26DE7E,SHA256=210194D85F49731B4C6FCC1AF73E4A52FC92F806B80249038C0D5F6C144D92A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161262Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.942{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BCC-618E-CE01-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161261Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.940{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161260Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.940{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161259Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.940{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161258Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.940{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161257Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.940{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2BCC-618E-CE01-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161256Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.939{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BCC-618E-CE01-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161255Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.939{189417FC-2BCC-618E-CE01-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161254Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.644{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E58B7839CFC629BB6031A4DC8D98CFE,SHA256=DCACAD2C6E4EE7BCDA23AC4F26F64F62A9DF05FBD1074648E8FE583564944E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119711Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:37.832{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9ACCCF0D41D32607FFAB8998CBEB1F5,SHA256=ACA53464DE2C809804A76886675561024E8F971071518C4767213E8999D25EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161274Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A14512221266111DC452CF5BFDE66481,SHA256=CC2CAD913B66E4CEA2B237892F19F6CB1A91AE527F27FF2EDC7C417DDAFDA6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161273Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.959{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBF8ECBBC2FAA47D0BFF0E96482F73D,SHA256=C36201B01AB3828D40270B96D9A11CEE14919BD461C8C685228FE11BD3A55B08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161272Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.906{189417FC-2BCD-618E-CF01-000000000602}53044688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161271Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.675{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BD21CE2C782D1CA0A03D8A692E3BDC,SHA256=EA95AD767A9E93AFFC0C3C7D3B566E6834C3D161B328CDABFC9D6BCB73C02255,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161270Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BCD-618E-CF01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161269Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161268Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161267Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161266Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161265Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2BCD-618E-CF01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161264Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BCD-618E-CF01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161263Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:37.622{189417FC-2BCD-618E-CF01-000000000602}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119712Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:38.895{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC63FC8C475F30862E5BF8CF8A4C6543,SHA256=3181C4981243BF465F0F80D6001806ED19CE18F7E17E063FCA53544E88CCD1A8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161293Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000161292Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002187fc) 13241300x8000000000000000161291Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d79a-0x8aab4ea7) 13241300x8000000000000000161290Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0xec6fb6a7) 13241300x8000000000000000161289Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ab-0x4e341ea7) 13241300x8000000000000000161288Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000161287Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002187fc) 13241300x8000000000000000161286Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d79a-0x8aab4ea7) 13241300x8000000000000000161285Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7a2-0xec6fb6a7) 13241300x8000000000000000161284Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:54:38.752{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7ab-0x4e341ea7) 23542300x8000000000000000161283Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.690{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB2E8FB27B1E75C25C52D58CAD3614C,SHA256=0CE94BF34DA68ECACD428F02DC4CBEC5F512ECD7CDC1D5BA556ED393E4143EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161282Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BCE-618E-D001-000000000602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161281Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161280Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161279Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161278Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161277Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2BCE-618E-D001-000000000602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161276Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.290{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BCE-618E-D001-000000000602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161275Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:38.291{189417FC-2BCE-618E-D001-000000000602}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119713Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:39.911{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A035AFA8E966DFF9E56543823BE6EC2D,SHA256=39F206799ADB3D2FD73F5EE8D8F067816FFF7ED8659482B0968F2FE3ACA95A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161298Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:39.736{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE3EA24409BC4EFEA4C9715FED2608A,SHA256=A70E96714EA60EA6D5A6188D445D235F2667F4810B17D5FA28F0A2FA57164AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161297Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:39.305{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A14512221266111DC452CF5BFDE66481,SHA256=CC2CAD913B66E4CEA2B237892F19F6CB1A91AE527F27FF2EDC7C417DDAFDA6DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161296Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.883{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58803-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000161295Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.883{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58803-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000161294Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:36.244{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58802-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161309Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.737{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EA8FC18D032BCAC216DBA826E3C54A,SHA256=6D4225F650551AED112069D42B93EFBB0DE3D53FB10687CAB3746268500A550A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119714Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:37.726{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000161308Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.622{189417FC-2BD0-618E-D101-000000000602}61365984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161307Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.506{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=C195327A85052E9589C4A0DAF7F8D19C,SHA256=2312B22FF0139D9857E1CCE84779E79766DB89BF4018D4CBA5C2DF22AAEA4FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161306Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BD0-618E-D101-000000000602}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161305Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161304Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161303Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161302Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161301Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2BD0-618E-D101-000000000602}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161300Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.388{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BD0-618E-D101-000000000602}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161299Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:40.389{189417FC-2BD0-618E-D101-000000000602}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161329Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.918{189417FC-2BD1-618E-D301-000000000602}59761660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161328Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.802{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AE766FFE85475C4946AC7D34CFA13B,SHA256=65A85CA706E64B1A5731C13D031FCBD44E431273AB13D6A69D32DD4E235A6154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119715Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:41.161{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD825A749A23E22E8C70DE74FE499DC3,SHA256=8884AA36A2B254D9F671813008D89E6862E31A80B2015436081B5286B86116FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161327Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BD1-618E-D301-000000000602}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161326Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BD1-618E-D301-000000000602}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161325Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161324Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161323Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161322Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161321Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.655{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BD1-618E-D301-000000000602}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161320Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.656{189417FC-2BD1-618E-D301-000000000602}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161319Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.525{189417FC-2BD1-618E-D201-000000000602}59484968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161318Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.398{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=216B15C74E372F193971122307948702,SHA256=BC272F30ABDD0E9F1FF6300F9703F4D9C2E783A4B4D56797CC5A6B63D169E38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161317Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BD1-618E-D201-000000000602}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161316Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161315Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161314Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161313Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161312Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BD1-618E-D201-000000000602}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161311Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.052{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BD1-618E-D201-000000000602}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161310Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:41.053{189417FC-2BD1-618E-D201-000000000602}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161331Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:42.803{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F735E00FD8071BC4B9D9FA86744AF116,SHA256=36133BBCECFC6385CB19C55173C91C1B983333719D578D53FEE13767A5E9E6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119716Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:42.192{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEA8C0AB46AB9476D9D1ED60D8129D7,SHA256=237B69500EE2D7CB9FDE3588E7B94E921C888FA815865565CBCE0C76EF9C02A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161330Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:42.657{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14C1EC960BDDD6490063415264C8835,SHA256=6A32A7C72E7FF2CCDEBF964128E077E97B604000BEDBADE0E2C0C6A8AC23A819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161340Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.858{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597600463CFE523ECFB6032D94305532,SHA256=A5548B972016FA37E27D1A9D38E278403B4B77C54EC75B3A8CE626D3EE949DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119717Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:43.239{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189CB06497EB2C81232AB32C7AE8DB86,SHA256=50B1BE39B4F79487DBACAA0940E1B437723951045AD7F2B24A132E368830AEF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161339Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2BD3-618E-D401-000000000602}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161338Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161337Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161336Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161335Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161334Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BD3-618E-D401-000000000602}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161333Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.405{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2BD3-618E-D401-000000000602}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161332Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:43.406{189417FC-2BD3-618E-D401-000000000602}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161343Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:44.859{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE4DB5CA88278FD31E2416D668216CF,SHA256=59353722634C2075174639DF8EF4E055E8927A082B3493BE3840EF3C041FAA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119718Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:44.348{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122BDB6048CE936B51DD1D9F0B484353,SHA256=BF686C28794BB4DB5003C5B71BB0AEC4382AD715975118D191C1045F8459CE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161342Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:44.406{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0AA062E957AB5EC46B0E5E4CC3E711,SHA256=99F967FBFB75E5987A571B9BB2250D77C8AED6889F0D8229BCA866AA892197AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161341Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:42.156{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161344Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:45.958{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026B75438145B9EBBD6E2BF09055750A,SHA256=EC26FB3066B05ED242E73B20B5FE16CE3BF7FC5152374AB2F5FE164ADC8AE79C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119720Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:43.601{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119719Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:45.364{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0510FE01DAC4F1CFC4712E45B5A57907,SHA256=220C14C86D82B9FBA4BABF2BEC24A8C6DDF1AE0F4C9261ACB3C97572992C690C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161345Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:46.989{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB3CC512E8A962FD531AC88AA587617,SHA256=B90B6D7783D9580DCC9745245EB6D7C458336794651D613AD52DCAC71269997F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119721Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:46.489{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A8E1AB034888B97D5E74EE9223B5E7,SHA256=257C8FC6B5546318AA316F054C456A925FA79F13C03C7628AD5334A903706DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119722Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:47.504{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CADC2F04E67D4731A1F68ACF59E656,SHA256=F641D0C8B07EC2305E39C09DBF32D544733B08EF51F35756C066A5427DD4D0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119723Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:48.520{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C24DEB79F301381895283B128DDDF7,SHA256=1E6A579FB49B3E346407AEFF6D6583ED3ABD4DBAA94B97E8CFDF049A8E037502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161346Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:48.020{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C019670EB42431580DC34A43243A972,SHA256=C407A00FBD7331F63E3588F27A0744D9DA4E99B28CE02C5759EDA20129896CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119724Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:49.535{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0289743C4BA1BB78B6F74521BBD41A2B,SHA256=C0C79EA1EB8F79BD870C0F954E8E1ACDBFD7EEE000F5C7F6763910FB095454E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161348Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:47.244{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161347Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:49.022{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2E311DF4B4EBA11BBEAF4DEA60C8DA,SHA256=7246CA2D746C0B34EF48EFBFCD0007E6E7942AAE81493DBF333E06D66E973436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119725Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:50.535{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F8FCA5D3C85A2C45977F5C293B37CA,SHA256=AEAECF3306537F4B33366645CB8E07E4AF43FF6869D794C550D30D031679446D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161349Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:50.041{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0252243E2984709E41BB8ACB20CFDB,SHA256=100F52AB82FE5DB2936FC6AE8FF527441FE8569B19A4008F6FCC31E87245F165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119726Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:51.551{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24208973F88EDCEFCFDB7C9521EC2032,SHA256=3BDEE459C77FE8FE049B8BDC30F68ED5CF3A5A6158DD85A148AEF4A98710515D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161350Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:51.059{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89BBA112B3EC216250C6939EC89B44B,SHA256=3E7C3616EFABEB4E3C2DD9175735F8A35F2EAB8722C7DA9A7276428DDFBF969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119728Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:52.567{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26938B05A079F2BC25D830E272E8B0D1,SHA256=77BF07536290A946B16ADC3F32B6D379A3FBEAA3B4C92010DAF5AD9F4ECF23F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161351Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:52.089{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD2DBAFAD6281864B5B58D4726F35E6,SHA256=94C8DF41D4A4F6A92EF6726C826406E63F578C449EA88D6D47B1CC3B76EFE2F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119727Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:48.726{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119729Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:53.567{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B8B62736F7A32271D8F52B58A2A5C3,SHA256=378EFFAC612670053BCF774D3912DE804B2DFC79CDB5B6010851B4149002EAA4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000161388Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.904{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\UtilitySetConstants.ps12021-11-12 08:54:53.904 11241100x8000000000000000161387Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.904{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\UtilityFunctions.ps12021-11-12 08:54:53.904 11241100x8000000000000000161386Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\StartDPSService.ps12021-11-12 08:54:53.889 11241100x8000000000000000161385Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsVerify.ps12021-11-12 08:54:53.889 11241100x8000000000000000161384Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsTroubleshoot.ps12021-11-12 08:54:53.889 11241100x8000000000000000161383Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsResolve.ps12021-11-12 08:54:53.889 11241100x8000000000000000161382Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.localDLL2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticSnapIn.dll2021-11-12 08:54:53.889 11241100x8000000000000000161381Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\InteractiveRes.ps12021-11-12 08:54:53.889 11241100x8000000000000000161380Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.889{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\HTInteractiveRes.ps12021-11-12 08:54:53.889 11241100x8000000000000000161379Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.localDLL2021-11-12 08:54:53.873{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\DiagPackage.dll2021-11-12 08:54:53.873 10341000x8000000000000000161378Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.842{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161377Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.842{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000161376Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:50.979{189417FC-233F-618E-1200-000000000602}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:30ee:6472:211:ff18win-dc-362.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000161375Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.658{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161374Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.642{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161373Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.642{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161372Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.642{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161371Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.642{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161370Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.642{189417FC-2AAA-618E-9E01-000000000602}6484524C:\Windows\system32\cmd.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161369Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.632{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe10.0.14393.0 (rs1_release.160715-1616)Diagnostics Troubleshooting WizardMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdt.exe"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsNetworkMiniMapC:\Temp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=BB98CE2BD520AC69CB3D2F830974CABE,SHA256=C1237BDD2B574C1CBBB4A0D990773BBED5B6FE3BD14F8011C0E79F9CDDCA2B4E,IMPHASH=5D314604CE5F7FF83060B18832AA0D35{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000161368Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.542{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\system32\netsh.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161367Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.542{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\system32\netsh.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161366Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161365Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161364Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161363Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161362Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161361Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161360Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.141{189417FC-2AAA-618E-9E01-000000000602}6484524C:\Windows\system32\cmd.exe{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\system32\netsh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161359Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.147{189417FC-2BDD-618E-D501-000000000602}5504C:\Windows\System32\netsh.exe10.0.14393.0 (rs1_release.160715-1616)Network Command ShellMicrosoft® Windows® Operating SystemMicrosoft Corporationnetsh.exenetsh firewall add allowedprogram C:\Windows\services.exe allowed ENABLEC:\Temp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=4D51BCD0B94D09F5DFB80DF754D31E28,SHA256=E5888E649C881E4BBBCE472F6808F93B2B5564D3094995A5A08E66B2406C1607,IMPHASH=51DC8B92EF1620527201E5276E21BCA7{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000161358Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.138{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1e088|C:\Windows\system32\lsasrv.dll+1d2b1|C:\Windows\system32\lsasrv.dll+1bad0|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161357Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.136{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161356Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.135{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161355Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.135{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BB6-618E-CD01-000000000602}6008C:\Windows\System32\runas.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161354Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.119{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2019F20E6D34EC9A77040CAF65A70F,SHA256=48718747A23EB7D554DCE0D1341102682FE0022C25FC87B9548C824438F867D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161353Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.019{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161352Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.019{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119730Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:54.567{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CACBA440835CEEF7299CB1022AD6A0,SHA256=939A6BAFA2EF07DDFD78D5BBE41B9038F93B71D64525C318851A4E05CFA1FA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161424Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.420{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FD9997376805B7EAA1B2AE29BE2CF4,SHA256=1C34E4B0862A427F35C0CDA09019C14A196FBE5C9E006E1DA37B977F37A7ADD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161423Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.420{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=304C39ABDDA5373BF37AFB3FE4EB30C9,SHA256=06117DCDC80A273E8D85494AC84B9634F6D40219C7F0FB64536BBEA8D183216F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161422Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.420{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00A9D73946479E93FA01BCC43282B5,SHA256=39F0DBAE0B3F41FE30196876C25BDD9DB77088F159212D24A8D88975BBB58FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161421Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.357{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D801-000000000602}5236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161420Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.357{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D801-000000000602}5236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161419Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.357{189417FC-2BDE-618E-D801-000000000602}52364516C:\Windows\system32\conhost.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161418Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.304{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2BDE-618E-D801-000000000602}5236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161417Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.304{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161416Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.273{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161415Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161414Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161413Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161412Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161411Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161410Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161409Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.268{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe10.0.14393.0 (rs1_release.160715-1616)Scripted Diagnostics Native HostMicrosoft® Windows® Operating SystemMicrosoft Corporationsdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=C91529A7EB209224BF6D6D47A4620865,SHA256=6FEDAAF41148F8E0803451B44AA5270AE6F96BF6D31CB81B3FE9459D2239E54E,IMPHASH=A625AFC217C115D82C4B28A4564D88A8{189417FC-233E-618E-0C00-000000000602}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000161408Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.257{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161407Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.236{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161406Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.235{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161405Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.235{189417FC-2975-618E-6001-000000000602}45084036C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161404Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.220{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161403Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.220{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161402Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.220{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161401Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.204{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161400Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.173{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161399Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.157{189417FC-2975-618E-5901-000000000602}28524164C:\Windows\system32\taskhostw.exe{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161398Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.157{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161397Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.157{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161396Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.157{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161395Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.157{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2BDD-618E-D601-000000000602}5984C:\Windows\System32\msdt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000161394Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.139{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\AlternateServices.txt2021-11-11 13:58:19.679 23542300x8000000000000000161393Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.137{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\AlternateServices.txtMD5=222D75B854DF0ECEBAD9946EDE070DB4,SHA256=EC00E3DB8AB3284665A61B7394046814A2AA0601FF5F585DAF25DB12BFFD80EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000161392Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.073{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\SiteSecurityServiceState.txt2021-11-11 13:58:19.594 23542300x8000000000000000161391Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.073{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\SiteSecurityServiceState.txtMD5=A978231C880F74DE5E2803ACB7203AD9,SHA256=8E3F1C937FA6953F3218663B59013F5BB522668A3EB909F6A6C5DC1B207B71EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161390Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F207C354069DDD2C5FEA1DA34DE9F799,SHA256=94EA6ACEABBBABBCBA95D0BEADE94DDD982418024F752F5D7230AFE8E70885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161389Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:54.058{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=17C2F1D66B218F2F28A2CBC3FD78BB75,SHA256=D720F8C84DB6BF654BCBC327579CCADE4F71D677526082CE8BA950950C77F7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119731Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:55.582{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1C565BD944C58EE7BC9D0BDFE842E1,SHA256=D79A451EA8A5DEBC301DC54A6CFA9D48776BE509966392E3DD4114BF2EEA7FB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161432Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.338{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58807-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000161431Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:53.110{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 17141700x8000000000000000161430Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-CreatePipe2021-11-12 08:54:55.675{189417FC-2BDE-618E-D701-000000000602}5500\PSHost.132811808942688571.5500.DefaultAppDomain.sdiagnhostC:\Windows\System32\sdiagnhost.exe 23542300x8000000000000000161429Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.544{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F2D1F4057295D5AFC88F0E7B9CB80D,SHA256=3853505A4722D04AD871BBCD55C822D7B3BD5909ADBAF77C89CFD2519CBF0D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161428Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.543{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FD9997376805B7EAA1B2AE29BE2CF4,SHA256=1C34E4B0862A427F35C0CDA09019C14A196FBE5C9E006E1DA37B977F37A7ADD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161427Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.404{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yxqf15q4.a0a.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161426Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.403{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yhkcczcp.kio.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000161425Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.368{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yhkcczcp.kio.ps12021-11-12 08:54:55.368 23542300x8000000000000000119733Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:56.582{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0AEC0F6583850A063DCE5567A1F125,SHA256=04CA2CCD61ADAEB26B07C4D37A3B53182CB7215155E93018E066A3107B440D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161475Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.888{189417FC-233F-618E-1100-000000000602}508NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\System32\NDF\{63A6E59B-ECA0-4ED3-86B5-631E24D02218}-Session-11122021-0854.etlMD5=D1B4AEE58D64342028EF3BA94244FE69,SHA256=A7584190BA3A3D4A33DB6DCB09ADDDB924D7DDD33C3DCF9A3AD3B2E59D80AF9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161474Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.772{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161473Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.772{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161472Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.772{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161471Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.772{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161470Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.757{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161469Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.757{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161468Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.757{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161467Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161466Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161465Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DB01-000000000602}5336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161464Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-0D00-000000000602}904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161463Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-0D00-000000000602}904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161462Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-0D00-000000000602}904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161461Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7EC4FA0B445E210BC6E571CE4720AEA,SHA256=E62BCB18E51783AE7AC7C76DC56B0DBC8E6D1A63CA9012CE4B7715AC4214345D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161460Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161459Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.741{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161458Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.725{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161457Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.725{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161456Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161455Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161454Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161453Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161452Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161451Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161450Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.713{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRunC:\Windows\system32\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa860HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{189417FC-233F-618E-1100-000000000602}508C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService 10341000x8000000000000000161449Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-2975-618E-5501-000000000602}27085132C:\Windows\System32\RuntimeBroker.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x8000000000000000161448Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.704{189417FC-2975-618E-5501-000000000602}27085132C:\Windows\System32\RuntimeBroker.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618b3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+8ae8b|C:\Windows\System32\combase.dll+8c2c2|C:\Windows\System32\combase.dll+39b63|C:\Windows\System32\combase.dll+8c4cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x8000000000000000161447Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.672{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-D901-000000000602}6024C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161446Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.672{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2BE0-618E-D901-000000000602}6024C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161445Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.672{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-2BE0-618E-D901-000000000602}6024C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161444Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.657{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161443Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.657{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161442Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.588{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62A8D2616149FFA9583F184F4B6F0D2,SHA256=A2B8286B452706B8EB490A215AD9E85C7822EF4A74B914669E47756A03F16CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161441Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.588{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D3979EB212E950713FBB47D1F7BF280A,SHA256=DBD377C3935F6254EF2E93EE5262131EAA2260E202FBFD992471E489CFC242D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161440Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.425{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161439Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.425{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233D-618E-0B00-000000000602}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161438Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.425{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-233C-618E-0A00-000000000602}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161437Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.425{189417FC-233F-618E-1600-000000000602}12522144C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161436Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.425{189417FC-233F-618E-1600-000000000602}12521308C:\Windows\system32\svchost.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119732Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:54.617{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161435Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.223{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BF72FD114AB89BC90003B8DF4985CB9,SHA256=9F5960F58941057E2B96FE1EF71C219B30916D7AD34AED618CD7E3A31C0D15C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161434Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.023{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161433Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:56.022{189417FC-233D-618E-0B00-000000000602}6403344C:\Windows\system32\lsass.exe{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119734Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:57.598{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF536EA370A9D34DC1541A903B2AFFD,SHA256=CFF5ACD8320EA35296DD58E6146EF1DD3236BF2A3FEF1C35D8AA4152F024FEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161521Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.788{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=78795A5DE27EE004A86868C688C65E2B,SHA256=B1D11B35098C4433B2638A47564C2BA057583867336C4B4A5ECC1CBFAF1E13C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161520Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.688{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10A05A07E68047C7334394F1330EC8CD,SHA256=7B02EDAB46F9E6659BEC3E6DC50128028E5B24F0B750845AE81EB866343EC1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161519Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.472{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B451D9B23E8849101426B6E650379F81,SHA256=D3842BE8DAF1F4C236ED9DB7E2E6B956F86D7056549E680838FF220C277DA78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161518Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.457{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=747A114BAF6502B0D8CBBDD1086BA1D9,SHA256=5DBA02243CA1B4C9D881393B8030F42275A2F69C268C98EF2C28B6FE934324FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161517Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.441{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F207C354069DDD2C5FEA1DA34DE9F799,SHA256=94EA6ACEABBBABBCBA95D0BEADE94DDD982418024F752F5D7230AFE8E70885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161516Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.322{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99105FCCEEA604636EBADD1B0E30F2E1,SHA256=D5DA85C2A77DF70230D2FB42F841AD0AC43654CB0106E80302726F64C27771B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161515Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.322{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\setup.rptMD5=30D34B6EE66F8DEBFBF883ACCA6DABCA,SHA256=6E650C70259C2BC15695D0C0727EA1A1E88BB5FC8AC87BDE30BEDFE79FFDD29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161514Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.320{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\setup.infMD5=FF1DACDEEC1C27F7F68324D55B37B893,SHA256=53A59DFE7B3670BD0D24E42C1C347081F2EB5EA8C3F61A8514B35D334630CF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161513Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.303{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\route.print.txtMD5=666486646CD40938BC90650E4E5BA4B0,SHA256=BC2CA5FC718F9F3B73DC66277D621F331FE2D2F06574644BC89ED1C5564087DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161512Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.303{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\NetworkConfiguration.ddfMD5=00848049D4218C485D9E9D7A54AA3B5F,SHA256=FFEAFBB8E7163FD7EC9ABC029076796C73CD7B4EDDAEEDA9BA394C547419769E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161511Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.303{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\NetworkConfiguration.cabMD5=963C4EDAFDFC479D10DAC7E0CB58579C,SHA256=1C5580B6E6041EA26B3CF4CC94AE70D28E7F11C4D0AA665CB471429B3D7BBFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161510Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.303{189417FC-2BDE-618E-D701-000000000602}5500ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\ipconfig.all.txtMD5=92BD13D3CA8BDEE4F322C90865EDEB2E,SHA256=98A00F73BC7E9468393C2E3FBBFCC4D0422EDD9294B99C65A43200DEAFA95F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161509Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.288{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\inf_4968_4MD5=2EA08FAC8EBDDCD517FF6689578DCF50,SHA256=53F985A69087F41B409502F2424E863C247A503DD84F7728D8D1DE50DEC0ABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161508Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.288{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\inf_4968_3MD5=76F582D6748358222647407C3E9F9525,SHA256=548AB62DDE0EA8DA5C9AFF4804036FA3D32D6CF46F9A612F1A648B8A46FAF52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161507Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\inf_4968_2MD5=4230347E5849E9C7230227A287AE4A41,SHA256=2484FA669042204D83D907DE45012A2AEF7F6687613CE76169097240415B0ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161506Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\cab_4968_9MD5=7B5B6C7BF41E6055ABD4E74476E08575,SHA256=2392619F397925A165CF31634781D68B006C396611C425F6C67F338356E47F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161505Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\cab_4968_8MD5=AFF2B3CA99FF9DD5FCA6B5CD01C5977E,SHA256=EE8DB2614E751B362902189E1C585AC0F234C869D1CF016442DF611CADE81E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161504Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\cab_4968_7MD5=D26804ED1F16D264CA579557346E1557,SHA256=1506AB0BD057BFBF3DF11520698C13D8F30C4474ED54287E2ED019D3CD9B3579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161503Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\cab_4968_6MD5=AFF2B3CA99FF9DD5FCA6B5CD01C5977E,SHA256=EE8DB2614E751B362902189E1C585AC0F234C869D1CF016442DF611CADE81E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161502Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.272{189417FC-2BE1-618E-DE01-000000000602}4968ATTACKRANGE\AdministratorC:\Windows\system32\makecab.exeC:\Users\ADMINI~1\AppData\Local\Temp\cab_4968_5MD5=FF52FA119BBE5A09D93D6FDE3D70C692,SHA256=703872B81A7B874300097BA1664660CD986B89928056EEE76CC4C157D064EADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161501Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.256{189417FC-2BDE-618E-D801-000000000602}52364516C:\Windows\system32\conhost.exe{189417FC-2BE1-618E-DE01-000000000602}4968C:\Windows\system32\makecab.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161500Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161499Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161498Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161497Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161496Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2BE1-618E-DE01-000000000602}4968C:\Windows\system32\makecab.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161495Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-2BDE-618E-D701-000000000602}55005532C:\Windows\System32\sdiagnhost.exe{189417FC-2BE1-618E-DE01-000000000602}4968C:\Windows\system32\makecab.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e0710030(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb93489(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb930c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e065b3f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb50036(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb3aa8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95948(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb86668(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb93baa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb9371c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb93489(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb930c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e065b3f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb50036(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb3aa8(wow64) 154100x8000000000000000161494Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.241{189417FC-2BE1-618E-DE01-000000000602}4968C:\Windows\System32\makecab.exe5.00 (rs1_release.200407-1730)Microsoft® Cabinet MakerMicrosoft® Windows® Operating SystemMicrosoft Corporationmakecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=B51BF14D7B1D6B5CEE13E90B86A99645,SHA256=E73754E12402679C921E4903C4E1130DCA6A3714FF7A42866AA38692AD0874F4,IMPHASH=7DE6CE9E19402E4CC9EF92982F3CCC0D{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding 10341000x8000000000000000161493Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.172{189417FC-2BDE-618E-D801-000000000602}52364516C:\Windows\system32\conhost.exe{189417FC-2BE1-618E-DD01-000000000602}3092C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161492Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161491Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161490Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161489Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161488Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161487Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-2BDE-618E-D701-000000000602}55005532C:\Windows\System32\sdiagnhost.exe{189417FC-2BE0-618E-DA01-000000000602}3092C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e0710030(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb93489(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb930c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e065b3f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb50036(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb3aa8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95948(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb86668(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbebf9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e08e06c2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfba94f0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbeb36a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfc32ac7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c5a5644a83be0edd530a86dfeac133d\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb742a(wow64) 154100x8000000000000000161486Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.167{189417FC-2BE1-618E-DD01-000000000602}3092C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exe"C:\Windows\system32\ROUTE.EXE" printC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding 11241100x8000000000000000161485Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.157{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\route.print.txt2021-11-12 08:54:57.157 10341000x8000000000000000161484Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-2BDE-618E-D801-000000000602}52364516C:\Windows\system32\conhost.exe{189417FC-2BE1-618E-DC01-000000000602}2824C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161483Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161482Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161481Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-2973-618E-4D01-000000000602}19681584C:\Windows\system32\csrss.exe{189417FC-2BE1-618E-DC01-000000000602}2824C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161480Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161479Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-233E-618E-0C00-000000000602}848880C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161478Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.125{189417FC-2BDE-618E-D701-000000000602}55005532C:\Windows\System32\sdiagnhost.exe{189417FC-2BE1-618E-DC01-000000000602}2824C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e0710030(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb93489(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb930c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e065b3f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb50036(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb3aa8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95ab7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb95948(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfb86668(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbebf9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+e08e06c2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfba94f0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbeb36a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfc32ac7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\9c5a5644a83be0edd530a86dfeac133d\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\c3380e6e5d748e38db1c65f298976e78\System.Management.Automation.ni.dll+dfbb742a(wow64) 154100x8000000000000000161477Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.122{189417FC-2BE1-618E-DC01-000000000602}2824C:\Windows\System32\ipconfig.exe10.0.14393.0 (rs1_release.160715-1616)IP Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationipconfig.exe"C:\Windows\system32\ipconfig.exe" /allC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=29916DCEA5377C19996B417D9235F42F,SHA256=5EE3FD7CA1AC876D0DE539D469BFC333594FCA3DF9F377CC96C756D9648697F1,IMPHASH=3636F50089F8190E3308E8AEA8F2043A{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding 11241100x8000000000000000161476Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.114{189417FC-2BDE-618E-D701-000000000602}5500C:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\tmpCF55.tmp\ipconfig.all.txt2021-11-12 08:54:57.114 354300x8000000000000000161524Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.823{189417FC-233F-618E-1100-000000000602}508C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEtcptruefalse10.0.1.14win-dc-362.attackrange.local58808-false23.3.109.244a23-3-109-244.deploy.static.akamaitechnologies.com80http 354300x8000000000000000161523Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:55.820{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53858- 23542300x8000000000000000161522Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:58.456{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A08398E67A099ED7F468C91D9155AD1,SHA256=E9A40D818B2B17FBD9F893F7FFE830D8F6B7EBADFC2F17224A12E417E08B5E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119735Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:58.598{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CFDEA42386F7D6A6952C6647A2F7BF,SHA256=84AF49494E88E41ED1021FE4B6419F6828D832855D2BD077469009895FC9C0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119736Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:59.598{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50F09E665A28E9390CA953EB992D2FE,SHA256=1C46EBA0F499B00D5C070285A9FE0245091683E1173731FE99356E68ACD1C633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161526Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:59.503{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9BE75C263ADF280D639F20349441E7,SHA256=87FD3110E6D643C92802D2956184678DB9C8FA445969C3821471044C9DF2BFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161525Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:59.321{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\1873MD5=6788DFA3A89F3D1F09EED3E71901BEA4,SHA256=9DDE53C118D7BDDFB481EF9A883286DA3AC5B41AFDD8CBD7CF1D83054D572832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119737Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:00.598{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117285020173CB98ED176323A26E66A3,SHA256=9FE58242DD4AA03F3CD8C6D037F9BF913826A7960D54F4FF7478B518C2094935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161529Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:58.225{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000161528Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:54:57.625{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local57272- 23542300x8000000000000000161527Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:00.540{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2605B319843DDD8F318CE3E6FEF201C4,SHA256=15812E2A93405C0FF7B99434B49374C6D963573FAC35DE370962A195A63A9D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119740Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:54:59.726{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119739Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:01.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFCF8DBF7219F3B7B86A9D3F46BA3F2,SHA256=36201D2725B970CEE7A52ECBCCF87BCCD28605ED5D541D0902C9F30019E3D39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161530Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:01.555{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7077922E20C2ABC2A2263F16FA2D71C6,SHA256=89B85E6071D67E504B13BDFF66C3B8E1FEDD9A4FEAB5BDD69EADCE364D7DB22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119738Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:01.587{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-035MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161531Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:02.570{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9D03F9CCE4DE5715DDFEE15E3C53F1,SHA256=968DC4E8E7FA5D355F08DB6C018E8C465CA404CE4ECBEC4B2D802BCFAAF93735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119742Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:02.605{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03313C4834E3F5D298BB1B7B21F6C4E5,SHA256=9FEF15629C2B97C0C1F14B8994CF9A37478FFC282F610CC0DD75F7846B21070D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119741Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:02.601{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-036MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161532Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:03.585{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F4DEFFAB5CFB7AB09FAC2E26340B70,SHA256=DFADEA1045593A14D6BA689518CA353C557AC9E4EE44FA6EE76683DEBF601B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119743Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:03.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEF8E32A2A116DA182CEC755017B3E,SHA256=788AC3D519A9752A8BE6B10FF43322790AE20B7E11960C85132A7DF2D3E94E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161533Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:04.600{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C07FE8640B8BAF9A1DB2F1356DC5A6A,SHA256=E2CECAE66AC7B53D75E6F582816AB8CD0B06E6D8BDD826497A7B6275D82976EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119744Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:04.615{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA698B00A5F7EEAF2B98839838814B49,SHA256=6B7AD1C35E454363F550BDD748F5F4D9FFC8039CBB1994E2F76BA4EA1158C8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161534Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:05.787{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644F86E29384D5D04B1017DDD6F05AA,SHA256=49D78F588529B40FC0CDCE4E30ABD67D6AA571F640C789E11116BB723040AF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119746Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:05.647{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2F7C6086BB3C96EFA2ACFD34748C3144,SHA256=8E083FD0E73F9F47E8E53998DA8F8BED1B4F61B6B85ABD6C7CE1B6D510F4CA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119745Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:05.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61776A2F4630C2E3965FB4FF9A0C59D,SHA256=5FA1CA315A50403B310104F0A600BBE187809C19CFF6763A838BA63119B7D1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161537Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:06.841{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49564B97B7281750D85C31EEBED9756B,SHA256=684653B8214F3B0F4AE0010457E165C2EB46A5F222ACD871A226B0030B36D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119747Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:06.647{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A64F0BC21B7D2DA0575104A4E2D81E,SHA256=C97367B9DAF85CFF63CC5ACDB2FB890B9E6A722E1857A5C845DD61AFA71E471F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161536Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:06.524{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161535Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:06.524{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F09D4BA3546448854B649FE9549B920A,SHA256=9DBEADC0DBEEA41DE49E4E4F9E1B1B4ACB2A477CBCEFD1DDFB91C7943D6D1321,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161540Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:04.140{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161539Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:07.887{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F3FDC021165624ABA4BEC266AC13D4,SHA256=CBBB8DFED62A00B8EA8B238FA62C076A067DD03B853C4E3377A580A102C6B220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119748Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:07.647{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26B383D0F11A801CA261C70CE2EBBC1,SHA256=51A44F66DFFB76233F8544E8E06269343C939CD126885D563FE223ECDEAC5FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161538Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:07.771{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=9887E3F88DE6EEB2D6A110A2D4FD3433,SHA256=EEC254522E446185C3815331383E9DAD77CE09F0476CCD5337EB9B05CDCF8A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161542Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:08.924{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE60E09E222D5F2B3BABEEE2C9E55BB,SHA256=E2C23D44FE9CB9D6D6E16114C28BE7B83CAEB2F68694BDB3B8B5589FD01192E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119753Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:08.647{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA2037CB5A020CA8D10453097E05CB8,SHA256=F76A47B8BA8EC364748B16529D66584982ECFAB6559F660F1EC79F2FAADDCC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161541Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:08.742{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CBF26697809E5C2CE2B476FE30493FCB,SHA256=2510BBA37AF4047ED702D6479F0EEC70B84C12DE0B838714E1A23366AF4E3C76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119752Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:08.287{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119751Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:08.287{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119750Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:08.287{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233C-618E-1500-000000000702}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119749Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:05.587{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161543Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:09.988{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E126317F6E964394AB104B7F5CF887C,SHA256=D924880FAEE3A6A43BF0C0CC48F9072EC1AA225649853EBCDA51375CDACFB26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119754Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:09.662{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B900059438E2FCD783EC6A000B746A24,SHA256=BAB7774EBD65A3C36A0014F08E494E70249F5F9F5413529305C1BFC16B9854DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119755Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:10.678{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E24AF2757944BC95CDE744EE7EB8F2,SHA256=E1CDB40FB7B084D03686C22970C864B1F5888D1D4705724C397B910A745DBDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119756Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:11.693{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB2C628F7B9314BD704A3D6650D7182,SHA256=3627D9D1E2303408B1D65881FB1E8122462619ED492E3622CCCA397EE58FB7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161544Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:11.003{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177F9F9FD2999E23CC71B289FAB79E00,SHA256=A9BA407F01FC6784F5064CFEE8823F93550B4515742B49F3A97B48F9BE7AE913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119758Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:12.693{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA32C2DF70451659E7FB0A6BF6A8590,SHA256=28F6C69DC7F6899EB6EDBE0FF571DA5D4AA11AE20830E44CC39BFCC79271EF8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161584Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.739{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2BF0-618E-DF01-000000000602}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161583Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-2973-618E-4D01-000000000602}19686080C:\Windows\system32\csrss.exe{189417FC-2BF0-618E-DF01-000000000602}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161582Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161581Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161580Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161579Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161578Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.624{189417FC-2AAA-618E-9E01-000000000602}6484524C:\Windows\system32\cmd.exe{189417FC-2BF0-618E-DF01-000000000602}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161577Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.632{189417FC-2BF0-618E-DF01-000000000602}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\djymreij.cmdline"C:\Temp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000161576Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\UtilitySetConstants.ps1MD5=0C75AE5E75C3E181D13768909C8240BA,SHA256=DE5C231C645D3AE1E13694284997721509F5DE64EE5C96C966CDFDA9E294DB3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161575Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\UtilityFunctions.ps1MD5=C912FAA190464CE7DEC867464C35A8DC,SHA256=3891846307AA9E83BCA66B13198455AF72AF45BF721A2FBD41840D47E2A91201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161574Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\StartDPSService.ps1MD5=A660422059D953C6D681B53A6977100E,SHA256=D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161573Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\result\results.xslMD5=310E1DA2344BA6CA96666FB639840EA9,SHA256=67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161572Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\result\ResultReport.xmlMD5=C455257CDCB2DFBC378F51FC5F230CDA,SHA256=975F0B6C7930F1D9027677A60ADDA56B9922A085436E52524B181A6651692773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161571Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.586{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\result\NetworkConfiguration.cabMD5=963C4EDAFDFC479D10DAC7E0CB58579C,SHA256=1C5580B6E6041EA26B3CF4CC94AE70D28E7F11C4D0AA665CB471429B3D7BBFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161570Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.571{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\result\DebugReport.xmlMD5=1C94EA296DD7A5C13AFEEB7158472A4F,SHA256=1F65EDA102C08F1BEC86DB954CF64755145514B4DFD5C9CF03134DDE70E7A1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161569Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.571{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\result\63A6E59B-ECA0-4ED3-86B5-631E24D02218.Diagnose.Admin.0.etlMD5=D1B4AEE58D64342028EF3BA94244FE69,SHA256=A7584190BA3A3D4A33DB6DCB09ADDDB924D7DDD33C3DCF9A3AD3B2E59D80AF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161568Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.571{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsVerify.ps1MD5=9B222D8EC4B20860F10EBF303035B984,SHA256=A32E13DA40AC4B9E1DAC7DD28BC1D25E2F2136B61FF93BE943018B20796F15BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161567Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.571{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsTroubleshoot.ps1MD5=D18DD3C5D111EECBFEC65251D357F3C1,SHA256=FC9CE9F57CB224D13EA1B973FA084E8F7FD00DD172D84B7C14E31085C58FEA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161566Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.559{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticsResolve.ps1MD5=D213491A2D74B38A9535D616B9161217,SHA256=4662C3C94E0340A243C2A39CA8A88FD9F65C74FB197644A11D4FFCAE6B191211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161565Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.559{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\NetworkDiagnosticSnapIn.dllMD5=E8840A3623E348A0C68D340E929F9583,SHA256=F845EB243DEBA21CAB0042014DB32848EA2160D2E88C7140B565CDAD001A85E4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000161564Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.559{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\InteractiveRes.ps1MD5=25B8543DBF571F040118423BC3C7A75E,SHA256=D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161563Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.539{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\HTInteractiveRes.ps1MD5=C25ED2111C6EE9299E6D9BF51012F2F5,SHA256=8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161562Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.539{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\en-US\LocalizationData.psd1MD5=3076B6303E0061A7607A192EE0A56762,SHA256=5DB6CB638A1820987350E3E8BBF2EE297F0723E115CFB5A4D6B2D04C5E425308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161561Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.539{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\en-US\DiagPackage.dll.muiMD5=96699C635A27C87D45ED43E73DAB6E8C,SHA256=888F94CE473A0267199C73385061ACD4CC7AAF90C260F09A00162FE18F11B0FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000161560Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.539{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\DiagPackage.dllMD5=471254D344E260431363C9501CEE3347,SHA256=F1E8506F1AB84CD26AE38261698D801A16E274344CDFFADC6AF8FABBFC492350,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000161559Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.524{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Windows\Temp\SDIAG_d9d774d3-50b8-4025-9e8f-7f3d504956a9\DiagPackage.diagpkgMD5=869CBE34E78E2FF180BC6DC62377A336,SHA256=0AC3C3205A94912483D3D5869FDFEB827F9F6EF5B4B87E27F177FA0C5E3B431F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161558Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.524{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Users\ADMINI~1\AppData\Local\Temp\PLA7E24.tmpMD5=D953143422B4E1B2DCCA1A2772ADD932,SHA256=E31F7C7B1B33E03CDAB7B9A43B7962618269A271B0FB7A16CC2E5738332AD97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161557Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.524{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Users\ADMINI~1\AppData\Local\Temp\PLA6D6A.tmpMD5=52B46CA1468B7AA8C6295EB9A4CCD142,SHA256=5741A80776F4D96E60C5E0B07607DE5B766DC8430297D14F9DE91EFF3FA7CE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161556Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.524{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Users\ADMINI~1\AppData\Local\Temp\PLA494C.tmpMD5=CB9367C17F1575255FF10B1861821346,SHA256=3B537F4FCDCB6D832695B4D1EB1240CDA56E5A9308B70A8B760EF4540DF665C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161555Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.518{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Users\ADMINI~1\AppData\Local\Temp\PLA7C04.tmpMD5=52B46CA1468B7AA8C6295EB9A4CCD142,SHA256=5741A80776F4D96E60C5E0B07607DE5B766DC8430297D14F9DE91EFF3FA7CE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161554Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.501{189417FC-2BDD-618E-D601-000000000602}5984ATTACKRANGE\AdministratorC:\Windows\System32\msdt.exeC:\Users\ADMINI~1\AppData\Local\Temp\PLA7E40.tmpMD5=1280C70407E72697770A1A88A6BC6693,SHA256=B255932D055902D26ACA314D714C06C3DD37BCDDBCC226505DF0EB55457FDB4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161553Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161552Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161551Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45083628C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161550Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161549Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161548Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161547Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.423{189417FC-2975-618E-6001-000000000602}45084704C:\Windows\Explorer.EXE{189417FC-2AAA-618E-9F01-000000000602}4436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000161546Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:09.178{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161545Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:12.021{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798368F7A0E0799058CC3B6B0DA38B22,SHA256=C1BDB73C7141C0D6BEEF3B07176D71273DBFAF5C9AF67BE666B02FE9777E87D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119757Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:10.728{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119759Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:13.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2732C4851CB3D9D53DD81E12373BBD,SHA256=34DC1CEA20A8A8BDCA28D0CC8EED930B9A4935725ED8F41FA8058A8E815BA1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161596Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71613ACDAA5006DDFF2F0E7BDAF3606,SHA256=78467A944E441003DAE95516CDF6B8C992FA5F2C7E6DB70E2520941BB689CFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161595Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.638{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B0AB5CD5EDABE790B6785DD8D427D0,SHA256=AEBEC2021620BEC6DFBC2113E35172102E84F60A30C241CB425B5739AF611A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161594Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.470{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=429248E3AF637CB4BF5ECE3C79B1F709,SHA256=B738422A1A0B0CB1127BFB1CACCAF109A16BA9F87D2DE66CA9A112ED683D90F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161593Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-2AAA-618E-9F01-000000000602}44363160C:\Windows\system32\conhost.exe{189417FC-2BF1-618E-E001-000000000602}5740C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161592Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161591Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161590Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161589Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161588Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-2973-618E-4D01-000000000602}19683580C:\Windows\system32\csrss.exe{189417FC-2BF1-618E-E001-000000000602}5740C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161587Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.139{189417FC-2AAA-618E-9E01-000000000602}6484524C:\Windows\system32\cmd.exe{189417FC-2BF1-618E-E001-000000000602}5740C:\Windows\system32\ROUTE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161586Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.147{189417FC-2BF1-618E-E001-000000000602}5740C:\Windows\System32\ROUTE.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Route CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationroute.exeroute.exe printC:\Temp\ATTACKRANGE\Administrator{189417FC-2974-618E-86FA-0F0000000000}0xffa862HighMD5=56AA12B243152DF359E79D143F248F1D,SHA256=BFE7A626BF3B9080997401969954AE0376476FD220E80CC52707FF31CE827D53,IMPHASH=B4266771AA756897B5C9C266177A6A5E{189417FC-2AAA-618E-9E01-000000000602}648C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000161585Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:13.086{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620AA89379DBFF9B992507A022102628,SHA256=3ECBFFE7661AF8DB2D2DFD648F6A9BA1A8188B54B16B075AE04202DAF734F58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119760Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:14.709{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE70E954721F8A86846117EEB6C8E344,SHA256=A7F4CF605AA0158F216868CAD951850A72E87C4162EE85CF2CAD9F660CDF93D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161597Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:14.100{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68635604E6DE04E19B8137C492CD0FC,SHA256=60F59397D7A6AB0827973E355786F1BD4A21CF17879C46963E993B4C37D72230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119761Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:15.725{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A58E2DB1ADB9165CD00661BAB05BA00,SHA256=DECADC23993CA73690603CFB77D0657FEB1B65E20D8A99A525E3AE6A86774189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161598Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:15.168{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0ABB09E7FE0156EBDE9DA99312662A,SHA256=3D7E445A14F8D4DA54CCCCFC87B6A6839FBEEEF5FF5BF312EB236088CB02F2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119763Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:16.834{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE539C5F398FC03FC3D4D260053DBCE3,SHA256=5B4B62CC78AE0CBD8A1CA3FFC322A3CA46704BEB2EABA3B4AE51C3149C7A6BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161599Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:16.198{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944C8DFFA299F47C5A19313359D0451D,SHA256=AC22D4A693AB12634B243CDA66CE6609DDC97237CC36DB0BBB555936AD506EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119762Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:16.381{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119777Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567DEF50A3832F55C99621F1190D3A78,SHA256=477245F61D71E0BF7924A07B1BED78ACAFBF2BAA4FB9690F1B3D61F00CF54A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161600Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:17.215{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338A98B4B5A4072FFF93710066CECE2E,SHA256=CBFD765BFF834BB23BE634EE3828B69621F537C46AB9CCE37A965D6E7B12B288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119776Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BF5-618E-9201-000000000702}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119775Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119774Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119773Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119772Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119771Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119770Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119769Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119768Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119767Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119766Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2BF5-618E-9201-000000000702}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119765Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.787{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BF5-618E-9201-000000000702}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119764Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:17.788{147D18E0-2BF5-618E-9201-000000000702}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119796Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.959{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220CD51AEF40EC02BC3E11D9E0E7D690,SHA256=7469615F8A6A0B7B206BB3D6C80D9955A3FF355C36EA83F837696C44E26A1B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119795Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.959{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3401D93948D50AF46415897626BE61,SHA256=12294F800AF21E4CB15772A6476C4F06D03CABBC60860CCAE6A5C85047B9B2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119794Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.959{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18722DB876FB876B006865909B70888D,SHA256=333768983A0BEB714CB21E3C5C08238405CB6337E49E6FDBE92F2F4FD7C8A003,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161602Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:15.073{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161601Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:18.236{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F62E270087CBB0B70F21659DDFE90F,SHA256=AC8B2C3554E6DE81D89482980B1ECB8B753E993BCB6932A777197FC5795F11D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119793Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:16.634{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119792Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:15.916{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000119791Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.631{147D18E0-2BF6-618E-9301-000000000702}2608900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119790Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BF6-618E-9301-000000000702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119789Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119788Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119787Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119786Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119785Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119784Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119783Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119782Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119781Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119780Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2BF6-618E-9301-000000000702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119779Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.459{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BF6-618E-9301-000000000702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119778Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:18.460{147D18E0-2BF6-618E-9301-000000000702}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161603Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:19.267{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B2C0B797653593CC3BFF1FB3ACEBFD,SHA256=DB21B9DADB4C9F115B09F447A4925DE362295746139BD7056EFDA55CD0586BF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119809Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BF7-618E-9401-000000000702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119808Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119807Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119806Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119805Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119804Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119803Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119802Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119801Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119800Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119799Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BF7-618E-9401-000000000702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119798Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.131{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BF7-618E-9401-000000000702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119797Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:19.132{147D18E0-2BF7-618E-9401-000000000702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161605Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:20.300{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-035MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161604Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:20.281{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65EF5EC77D82C2BA4E91CEDA4AC4FC9,SHA256=74DE14A993D495142240E103428395299B1C50DD5A72C79F66CC9F244B0C810F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119811Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:20.178{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3401D93948D50AF46415897626BE61,SHA256=12294F800AF21E4CB15772A6476C4F06D03CABBC60860CCAE6A5C85047B9B2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119810Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:20.006{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806EB9B6EFE365464EF4AEA2BCD9DDB0,SHA256=C5CAC9D5D29DCEB72BA027A55D9B099D40D9580B9B8B57808975C23B2DCE6712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161607Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:21.313{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-036MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161606Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:21.296{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD71CAEF3E5A9A6ED5AB7C1F9C9C5D9,SHA256=89095D0AF4041648AEB16B76B96C441C340DB86E4E48B8EAAFA8EA091E16B5BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119839Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BF9-618E-9601-000000000702}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119838Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119837Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119836Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119835Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119834Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119833Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119832Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119831Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119830Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119829Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2BF9-618E-9601-000000000702}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119828Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.834{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BF9-618E-9601-000000000702}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119827Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.835{147D18E0-2BF9-618E-9601-000000000702}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119826Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.350{147D18E0-2BF9-618E-9501-000000000702}14681464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119825Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BF9-618E-9501-000000000702}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119824Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119823Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119822Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119821Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119820Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119819Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119818Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119817Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119816Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119815Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2BF9-618E-9501-000000000702}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119814Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.162{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BF9-618E-9501-000000000702}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119813Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.163{147D18E0-2BF9-618E-9501-000000000702}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119812Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.021{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1470BA45EAA1E9292B983FF21E76197A,SHA256=37222BE803FB4AA314D71FE94B0A3B3ED3870475B516F852CD715A7EBE2D7D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161608Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:22.314{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366A82B4EB9BD664C4CCF522D7E70A87,SHA256=54EFFE4BABA06E5BC3BF52D39D85A2B30A9BEDBC959CE82960E1D6E03F606E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119856Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.521{147D18E0-2BFA-618E-9701-000000000702}26282368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119855Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BFA-618E-9701-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119854Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119853Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119852Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119851Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119850Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119849Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119848Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119847Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119846Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119845Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2BFA-618E-9701-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119844Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.334{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BFA-618E-9701-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119843Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.335{147D18E0-2BFA-618E-9701-000000000702}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119842Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.193{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E3DCFCA645D288FF601C26787D6553,SHA256=B2219C6E552F2904FA9B2FF6C960018B99B86A2E2403A130DB87D497DCF71A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119841Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6508740472A146B6049C7BB672611596,SHA256=7942E0356B6D7884BD05FE17BFF024D6D7FC35CDE03D47DB39006DCFF41335FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119840Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:22.068{147D18E0-2BF9-618E-9601-000000000702}39162252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119858Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:23.412{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31561FE99ABCF56BB7D0C686EF2BF9A3,SHA256=59314564242CA846C5B9431927894651158958D3E4371AEA6BACD17369F8FC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119857Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:23.272{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4AB194F9CF2EA49316D40AE6058207,SHA256=FEC87573C96C08F27B29DA0F679B5F4EDCF2ABFBA1805341FF8459C83DD4F80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161611Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:23.562{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161610Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:20.203{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161609Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:23.331{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7194AA32D977FA83597A38F58CBDAC8C,SHA256=A0B30474AEAC56F96A2B5C3E4A1C30E3DACB3A592793144D9F624340EA666791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119873Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.475{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B952DC16D1E58C22BC77B74C16517751,SHA256=A39AAF3F8E3DD51D7ED876DD59A225CD6D4CDF33DE41A0C5AC5DC670CE496E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161612Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:24.346{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBC301AE304C13D625A032F3CAF5FB3,SHA256=BDC9B8BBB4B6DEB76F4B569D55575C5B7E6456B6280BC659F8124C9663761BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119872Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2BFC-618E-9801-000000000702}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119871Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119870Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119869Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119868Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119867Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119866Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119865Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119864Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119863Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119862Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2BFC-618E-9801-000000000702}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119861Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.256{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2BFC-618E-9801-000000000702}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119860Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:24.257{147D18E0-2BFC-618E-9801-000000000702}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119859Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:21.697{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119875Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:25.506{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666EF9C3C9145A57AAD5B50129051827,SHA256=7D5BE4611ED5CC8E41D7E2BB6D45209CCD540EFA79E9CC15B19DED8D1428BA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161613Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:25.577{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE411B3AF676A59D89F677C681C3F07,SHA256=6DA55E4D22E23A8828D61FACB09994120B633C077E5257397B5EDCDD08FA20FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119874Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:25.443{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E84E4452E320E22917F02B1B3B15FF96,SHA256=095965668F966114A522F35780157E3263DF085E5451FDB69FEBA2823CECE8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119876Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:26.584{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C0D6177AE6414083F02A5E1C8D75B3,SHA256=D7971AE0CF925645AADEBAE3C080375C8E7310925E3C8ACCC5D75B763CC1AF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161615Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:26.612{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EF93C4DE2101579BB5C13FE69B97DD,SHA256=6979F777946A8A763F33FAA3C74F02506C6EA6599906998BC09B0163ACC50318,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161614Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:22.568{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119877Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:27.600{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857C7B3EFC4F346002F0D99A873E90FA,SHA256=B1CFEBA05764781750EB9BFFD3BA2584CFDA3D2443E8A383EB24B08900A13144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161619Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:27.792{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C233DF679A064E52A8123AD51EE6F388,SHA256=22CEE305F38DF26AAEC7525C027F19C20A57CB02CDA28B9AA15D1E91F9F081E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161618Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:27.161{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161617Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:27.161{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161616Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:27.161{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-233F-618E-1500-000000000602}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119879Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:28.631{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51006271E3626B0372333599993F31D,SHA256=167FD21BBD1C29CE92068267CD9876C4F6D4CDEC267CE2370D78392384099431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161620Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:28.793{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7812DCD42354AC7E2F09A8290608A7FA,SHA256=83661BBF876AEE69616EE4C294E669B5209052512FE503AA3BFF48DDCCE4649F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119878Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:26.759{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119880Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:29.834{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B7A9ECCBFBD667F7181E893EFF1AF0,SHA256=03ECCD249F185BA8D91C47891BD33209D2498C68E77AA90410A13F46C898C6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161623Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:29.813{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC7310E5027D7D7CA7889750C91C258,SHA256=8CDEA3215FA88449565CB28FD552E761E4C5E43DAD161728DBD661DBF473390D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161622Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:29.710{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\glean\db\data.safe.binMD5=38A2BD95CE70F6D877FE8192BE6F6671,SHA256=4C449253A556D0B96F6E07F666BEF0A0A35C80E21757013FCA90D74AB2A80805,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161621Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:26.067{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119881Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:30.850{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F0E19B6C6808F4E7F3CFA2F12408E,SHA256=5930EF24E02683B4D63756EF60AB52A5DB9E1F899AEA4486D5B43A3737D4F23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161626Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:30.859{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4779C1AA807A2E94B0111A5C18535517,SHA256=E62750F0D1CBAB06FDD19D00DAE281A9936CC59D3010BD77CCCE1875D4587C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161625Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:30.744{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFAF832E4C7A7DA7C918ECA967A1873,SHA256=2BB664D50E584326C0F1A7727DF94453E1131A5BFF4D9784FE9611382AFC693E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161624Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:30.744{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71613ACDAA5006DDFF2F0E7BDAF3606,SHA256=78467A944E441003DAE95516CDF6B8C992FA5F2C7E6DB70E2520941BB689CFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119882Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:31.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637125C373911F6A943226593E2BE8A,SHA256=F389012B8E578B5ED62543CFABA056B6D464D82BAFF64F8402FBEAEFF6EABF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161627Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:31.876{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCCDEEBA0E41E54C05F8A39A8F6FCBD,SHA256=CCB11B7E777CBB594EE3B86202E3F4DD9A1F9257837A3DA45693030C585EC86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119883Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:32.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7B36264E9ADB65180724C7503F62A2,SHA256=57994836464E6903438F1D77F7E185A799FECC4AC8A46D674C8A1AEA07EDDD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161628Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:32.887{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9A4F8495C5AF1BD6DB7DCE41852792,SHA256=793AF1D101D127B05D534B272718F073EBAEC399384CCDD9050F9D67C02F0F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161630Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:33.923{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE610CD1132600AE8FC2C9068EB5B47,SHA256=CE6C6E7D12569596E73D50CA47E3C2205A102ECA35405042B0EB4D02CF4E7079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119884Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:33.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF81B2A9A9D59C8446370EECAC255EA,SHA256=5C19DFAB15602A8F314CC73133FDE1AFDD542CB1A17214F87095377A46E8EFD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161629Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:31.132{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161631Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:34.986{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5EA798824769279C8DF41609A9DA81,SHA256=0657C66DCA1A1563017C4F21D4E1C468A79D920C03674298011D44F468BC5218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119886Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:32.697{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119885Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:34.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB1A110773D1EF398E9113B98E151DD,SHA256=EF26C5C2F60616F4B0172A13D9CDF9A27DF7886A4DD49A2C514B4E1B51D51F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119887Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:35.865{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03432EB4A550C027AA5ED3469F4B8E81,SHA256=108D5B3B16439C15B3242DEB19E2A72752FD9D60DA8AC6F85D94B542E2F12D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119888Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:36.881{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B8D3C283F57A8CDFFE89785AB6A82A,SHA256=A4C8955F7C3F8C26C9EAC8238C41B587F7E14966EE8C356CC23CDA8A1FB48CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161632Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:36.220{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5966F87769F3CBFC6E3B3CDAE64808,SHA256=451F221F390222A7DC8B129A0C700C6E87BF17272AEE3B92232FB79109CAC098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119889Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:37.881{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CACC34149B38E73C63AFDC3E5D4519,SHA256=A06C7CEED76875DD141DDEE1431225FE2BF2E7DBEBAB16419650A45F6CB1A13F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161650Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.967{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C09-618E-E201-000000000602}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161649Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.961{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161648Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.961{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161647Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.961{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161646Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.961{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161645Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.960{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2C09-618E-E201-000000000602}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161644Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.959{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C09-618E-E201-000000000602}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161643Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.797{189417FC-2C09-618E-E201-000000000602}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161642Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.564{189417FC-2C08-618E-E101-000000000602}53645844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161641Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.247{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129BFB92053616BE7277B472D67F0190,SHA256=FF4310DB70586C0BDBFDF0BD168E6D092A86542383F711E5BA1FD180AE307B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161640Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.133{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C08-618E-E101-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161639Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.125{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2C08-618E-E101-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161638Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.125{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161637Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.125{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161636Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.124{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161635Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.124{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161634Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.124{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C08-618E-E101-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161633Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:36.939{189417FC-2C08-618E-E101-000000000602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119890Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:38.896{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B530139345FC6E469398A42DC81A5CA,SHA256=9AFA9009AD44C98E4EDD5B31C9DDCDA06F8C68405CFD1EC8387829EF3E4716FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161662Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.787{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C0A-618E-E301-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161661Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.784{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161660Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.784{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161659Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.783{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161658Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.783{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161657Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.783{189417FC-233C-618E-0500-000000000602}412540C:\Windows\system32\csrss.exe{189417FC-2C0A-618E-E301-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161656Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.783{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C0A-618E-E301-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161655Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.588{189417FC-2C0A-618E-E301-000000000602}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161654Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.782{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-233F-618E-1600-000000000602}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161653Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.418{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCFE3C2C175D9D8CD6543B16076BE66,SHA256=6F07FE9C10D847667F58701FD6C66A653E19480E5924F895259FA6F84B86424A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161652Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.034{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF01D6521D2F8F68FA439A7C4421A82,SHA256=5E7B0B614C401B983F074322F7A9C31078A3744A305D8BAE3AFF89EF9D6B36CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161651Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:38.034{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFAF832E4C7A7DA7C918ECA967A1873,SHA256=2BB664D50E584326C0F1A7727DF94453E1131A5BFF4D9784FE9611382AFC693E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161667Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:37.087{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000161666Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:36.889{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58817-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000161665Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:36.889{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58817-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 23542300x8000000000000000161664Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:39.657{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D384EC077AFDB854FDD767C1CF42B483,SHA256=7FC85EDAAC29ED20BE587628E7B088369698696E8F9F39828FED1F269090391A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119891Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:39.896{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693D987A087E842670A9330B7F255236,SHA256=59DB8F8B1183CD1F84B310526C10B4AF72009D3801513E707B1D0D36E13A59BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161663Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:39.641{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF01D6521D2F8F68FA439A7C4421A82,SHA256=5E7B0B614C401B983F074322F7A9C31078A3744A305D8BAE3AFF89EF9D6B36CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119893Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:40.912{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF6B33F1B80ADD0696285BDE5D2C738,SHA256=AF88ACEFE3ACEFC24BD45FA5033341576339E219325F40C0DE905DA8C3376D4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161677Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.953{189417FC-2C0C-618E-E401-000000000602}10685340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161676Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.707{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3EDDE7A7277FAD2FEEAF45F9215B35,SHA256=0609535DB07F3A3D15CEF1F616EBB6BFE68A4D7819E93258D2C6649FA037310C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161675Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.557{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C0C-618E-E401-000000000602}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161674Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.555{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161673Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.555{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161672Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.554{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2C0C-618E-E401-000000000602}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161671Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.554{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161670Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.554{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161669Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.554{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C0C-618E-E401-000000000602}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161668Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:40.391{189417FC-2C0C-618E-E401-000000000602}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119892Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:38.619{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119894Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:41.912{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BFB1504D347E26CB130971BC7D1CB,SHA256=83968781C61F39BCF4654C49BE22571AC31AC9772A8BD0AA655ECC2425117B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161688Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.725{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F39E18549A2A18390E0EB654326454,SHA256=2014A9678F5F0787AFA3219B218AAC238E68BA01DBDBC68F11067274A4C35F44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161687Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.697{189417FC-2C0D-618E-E501-000000000602}45165840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161686Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.474{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C0D-618E-E501-000000000602}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161685Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.472{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161684Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.472{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161683Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.472{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161682Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.472{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161681Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.469{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2C0D-618E-E501-000000000602}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161680Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.469{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C0D-618E-E501-000000000602}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161679Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.254{189417FC-2C0D-618E-E501-000000000602}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161678Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:41.416{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2F849FA0DFE6A9D3E39361387F570A4,SHA256=D68A8D95EAB1A538631421A671476EB4E5941BD618E82BBD9A4C810529C98E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119895Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:42.912{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476772E72E47C6BEEA7B557DF5D3F3CC,SHA256=172FE2CFFBB3E2F2B55A8475A10F225B895BD9324F84F5A76FDDE55A3821A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161698Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.727{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E615685AD3A303C488FCD465B1855BD0,SHA256=C4C8F8FBC1AD668ACED31B305E63353BA47D93A0B803AD048FA471AAC5B7BFEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161697Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.312{189417FC-2C0E-618E-E601-000000000602}59686060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161696Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C0E-618E-E601-000000000602}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161695Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161694Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161693Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161692Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161691Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2C0E-618E-E601-000000000602}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161690Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.156{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C0E-618E-E601-000000000602}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161689Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.157{189417FC-2C0E-618E-E601-000000000602}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119896Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:43.928{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCBBCD2E7AA71E140546DFE1044C818,SHA256=03E7ED2D43B8D70887829A9D6B804584CDDEB5E1F80C1F134A6D978BF70A0752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161708Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.729{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10C2C743D8A9845853C9E32CD5F9C80,SHA256=9C6B49FC9669AC2FAAFE524C7B693CC07A430BF79FBC2E2CFA94B9494434196D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161707Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C0F-618E-E701-000000000602}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161706Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161705Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161704Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161703Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161702Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2C0F-618E-E701-000000000602}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161701Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.242{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C0F-618E-E701-000000000602}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161700Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.243{189417FC-2C0F-618E-E701-000000000602}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161699Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:43.157{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=526FE2E1CD74E48D42596B58D25559D8,SHA256=E87E4B76C86EAC77B4CE47F389195458742DF198BD7A31099179CF8A069B4E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119897Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:44.943{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160C93DA88610EB87825D952C8B3AB3,SHA256=FAA4F10A33F7609F612C476BE326116D69A9FF67E5E641987163B92B718B5314,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161746Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:42.148{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161745Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.815{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDB8E014AB712D2FB172768354056A0,SHA256=DA398D5DE047BC03F6CFE163E514AB2F96261C536518E56555D1703FED34333A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161744Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161743Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161742Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161741Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161740Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161739Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161738Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161737Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161736Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161735Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161734Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161733Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161732Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161731Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161730Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161729Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161728Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161727Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161726Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161725Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161724Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161723Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2975-618E-6001-000000000602}4508C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161722Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161721Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161720Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2977-618E-6301-000000000602}4872C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161719Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161718Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161717Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161716Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161715Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161714Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161713Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161712Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161711Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161710Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.497{189417FC-233F-618E-0D00-000000000602}904928C:\Windows\system32\svchost.exe{189417FC-2976-618E-6201-000000000602}4772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161709Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:44.313{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D217FB8CD02D0D2E9C17794A43F79566,SHA256=AFF1BDAA3167F433001E51A621D2AF0565D7EBC59F7578964E9B3808BEFAF8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119898Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:45.943{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97E6E5D2552CE48450E450EEABE233F,SHA256=70E0D6A39A7DE85F6EF2112214AA2255B89A132D0C97DDFD8992AB5CC9F62CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161747Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:45.867{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBC7981BB39EF77F9E28A5565359E85,SHA256=611E492C2F6D29C9CA866D43EB93625D91F5BAB74E0BA302F23E7B5BC1C979FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119900Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:46.959{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A256E390773D1ADB722A3B404FB901,SHA256=5CD9F0881D7534DBC7487F6AF2500DCBB231F50EF71DAAA8CD201AA2D688C80D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119899Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:43.759{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161748Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:47.029{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A5A030976FC7036EC8C92BA49B6C95,SHA256=3C5D7AC45BAD956FA1E72380693A8E5790DC07BFC625A2265E64004326913A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119901Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:48.131{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6E8777B6CFCA53328B5CCE923CFDA1,SHA256=C39A0512DF39DB601BE59F8BDB2FF6BC371C4E76E1DB9B01B7DC929FF95D46B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161749Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:48.181{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFA7EF07ACB1F0E63B7A28BC2B41E3A,SHA256=D7AC01A1D210143CC462F8C4E174B57C14443D354DF989523090CFE42205AA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119902Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:49.146{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4DC5EC0795D4A1236CA4A4744A9EF0,SHA256=78933C89746C558AEE6BC2B3A1FE733CE3C4A4D3854F52F82780B9D8051B3FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161750Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:49.267{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E793CB7522B7D2E379F58E86A1A72E,SHA256=7A9257AD2EDE61106B3E2F0E4DAA81D531EFBB3819A7BBCA0990E480D88049FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119903Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:50.178{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE03916764651A233DBD1E29AAA60876,SHA256=BD8F157BE23C5A3B20D9112BF8116E4E4D7B583269900A4D8C900D7264F2A5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161752Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:50.281{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28508E607D495FE5391176E6FE86B40,SHA256=73009EE853E52A94E13E8EEF37975C378A1692E49CAE0BEBC8F35277E7F1E103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161751Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:47.287{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000119905Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:49.681{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119904Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:51.271{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018E50DBB15AC5E94639F46AC2D5344,SHA256=A3AAD6094EFB53193E76CDDAC40F07306CA0E8976F8DD47A2680AAB9DCF342BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161753Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:51.295{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12E1919A717ADA5C4C182473D06D27E,SHA256=BEE0275ACEC32A83194F43B50703B70EC6C726F1DDAE8D71D3FF9DBD4607BAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119906Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:52.350{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43860FC3AC55FE76E26B6E9FC5D52E25,SHA256=73CBC6F752649A9610BE8ED2D4501CD59D3E350B0BCAFF54A7A32D152F1CE524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161754Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:52.310{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9281753A2853774B6ECD3B051B2EAA2,SHA256=7B31A2C6AB1FC172D722E6BB4A181E610A6D9B6E5BF867DCE2FD85B9D88B3842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161755Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:53.324{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEEBB24137C9ECCCF2AC7D32D8F71C6,SHA256=296F20513FFEB70134F8E621FB15C7E0DF7139A7ACB17002343A79A3BF2689A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119907Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:53.412{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A13D3A26877F28BA6486EE6CEF931B,SHA256=496ACC1FFB6E09A7BA587023F34C70365974D9FF843A6578981334E5FFD8406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119908Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:54.443{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD503F66E826DAD12CDC983C09C28E46,SHA256=52A973EBB8BB603007FD7480179FBC2D11A8CF53A71681EE1B5B6521C98730E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161763Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.593{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000161762Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.593{189417FC-2975-618E-6001-000000000602}45084640C:\Windows\Explorer.EXE{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF802FCA63D08)|UNKNOWN(FFFFBAB51D2A5B48)|UNKNOWN(FFFFBAB51D2A5CC7)|UNKNOWN(FFFFBAB51D2A0351)|UNKNOWN(FFFFBAB51D2A1D1A)|UNKNOWN(FFFFBAB51D29FFD6)|UNKNOWN(FFFFF802FC77C103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161761Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.593{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF22b030.TMPMD5=EAE1A877F1E70EC6E8A1C36B90B5FD06,SHA256=37A035AE6A66F2C57D61F6A22DEF6393BBEDA1F046CDEB7E66F00B2E3F5ED69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161760Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.377{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF35B723C06849AA5A0CB24F2D6AA4BF,SHA256=E09D9BF41C97F79CD132A263F6C3919D14D791F1DC6118389A6DA20BA04A4D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161759Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.177{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161758Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.177{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161757Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.177{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161756Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:54.093{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\datareporting\aborted-session-pingMD5=EABACD9D3EEB285FF769E69FF05C75E2,SHA256=E5645DB8051CB93AACD9F53F3BA7633B56F1A4432406A8029C100FEBB2671B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119909Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:55.506{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99A324E53E268FFA37DC5C9576DE86F,SHA256=40D7C4F40125E8FFB30F0E7BFFB7F24C6A626BBE75C7411F65BBB957E63136EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161765Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:55.540{189417FC-233F-618E-0D00-000000000602}9045276C:\Windows\system32\svchost.exe{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000161764Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:55.392{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7225CEBFC6D9E15DEA8B304484C1A911,SHA256=44EC31C58D6F9A7B3F85606FB35729255F65C5A5D45E21769F933CFAB354C33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119910Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:56.568{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E79EFCC634B8FEC914FEE1A0E6E6CA,SHA256=9966A702378EF44831E2998FD137628CB0E966E5AC1D8C397233A80F1D2E40AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161767Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:56.411{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51402AEA812D7C11FC782F90D14C6E3A,SHA256=A2454015736AEC85C8FF63F2C8310FC76F590DA096D85C093434734DAC051247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161766Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:53.146{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119911Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:57.662{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8C135D3E7BB2E2D842E034C24063D,SHA256=1DBD2DBCB043AEB704A3BF426E53A6FF73041436700A4D40DA9686766CB5F4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161768Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:57.465{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EC6CA3186BD3490C03F18E88AD0911,SHA256=0DE7CB4A5EB8A29859868DF81208F9FE59B7A72D76AD11A7704A1DD3C206C0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119913Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:58.740{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80756E0FF9482EF58BA620B3AC9DDC3,SHA256=E284AE3F73A5A5DCDE2A69EE7D7A95A739803458CBC56D60EFF246FA745538F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161769Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:58.496{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC842C20029D528465232F21768B5C0,SHA256=4C267D238FFEEA7AB210A90473B437B827F6E79B0DD2F15B6460D291FA938F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119912Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:55.619{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161770Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:59.564{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68725078949EB38006FDBA220E126CE4,SHA256=2E750717A587F1557817D23CD72BF3179359659B4D141ED2254C2B305A0F4AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119914Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:55:59.756{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CA45A4B716D1416197C175B2B4CCE9,SHA256=C05A759D0475C4E68F52D27547A68000EAF19009115325E2D20B8DDC60CDEF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119915Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:00.771{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E529B48396BBFE1509D65881247EA1,SHA256=6B6DDF7C18928CB4E26E40BA85F3B31C47778FEF15BC257733D30ABD6BCA9A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161771Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:00.595{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E52BF06B02055E3E61EEF13B727E268,SHA256=E4FF45431D0949599F182966C7FD485123808D622AEC27A390C6827F61C1FC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119916Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:01.787{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBF994C823EE2E5F7E41CBF56745AA7,SHA256=C3F645C17352F6482553B113D97B070A5877144D024B43DD3B650E8BD9EA0E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161773Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:01.597{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72CAC0F7D86D0647A4143A576BCF5D7,SHA256=2E3A7AFC2915E8CF4835ED0A0619C563602BA71627700460D71998813CE600BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161772Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:55:58.268{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119917Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:02.866{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14241CEE429B3422F8586B9FD435D20C,SHA256=F6CFD8744E4ACEADDF21E216AF0D0DB9644B0B8830872C77472810296F4DA918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161774Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:02.627{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94206F7FC8B71D64711747C25E30DA71,SHA256=E1D82A4946A53B303D454FC0E2A119891444F60F38A5DC7B46406DD2C465EE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161775Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:03.665{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB062E59EE5C07B7D048CB93BF2156C,SHA256=64A402D10BDE501B6D315B7365573F66AB22DF39778B9E31BFA5EB3FCBF34D92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119919Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:00.712{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119918Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:03.119{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\respondent-20211112081807-036MD5=29679EAEB830E271CC76D292D489A778,SHA256=4C6CE16440B380A5B479E0766AE1ED03B918D8D7A4AEDF061FAA3E01DC572F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161776Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:04.764{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B7392163837BAD2C3B7FEBF6A4F69E,SHA256=F02A5585DB6CDEAFE20A4F144098339B0C9F0F2DD9EF24A661381543911BD486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119921Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:04.129{147D18E0-233D-618E-1A00-000000000702}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-053f28e94fcd700d6\channels\health\surveyor-20211112081805-037MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119920Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:04.096{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02D2CFFB458BE91F62DEFF673997555,SHA256=0734D69E09B5E1FC65307838B555054A39250CAB66E7E6E053D597211F461A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161777Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:05.895{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECC5554037B6B77D5B4427B97E5FD1C,SHA256=5A70026513C02EF749064D31C25B1EBCFB87B5249F19C13649B8B8E1C6D7D279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119923Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:05.659{147D18E0-233C-618E-1100-000000000702}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3B357D7C13C29B1D96C0ED02D0F1B6A2,SHA256=EE03CE34C711755B5E7DB4A2D87184DDD29E7E940614306FEAF3D3A3566D0FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119922Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:05.112{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9194C99432171ADF3DC13D8E737DFA9,SHA256=F4C26A1A7A4BD19AE74786CEE031CD1ACA0AF2C7CE90AC2690AC08E928A50999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161778Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:06.910{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A0AE6D143FCCFADCD393CC5B612873,SHA256=24CDA041622FAB208EFC61B05A993884CB8D13C29377FFF1589513F8DC099EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119924Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:06.112{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEF2656388D1B7710F028EF936CD7E0,SHA256=980B4707009CA86BC2AE22A16F3590B70EE53AE773F086EF0A3C8B2AA3070477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161780Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:07.912{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6EB2E7E5F3BC781F87FEF4DC1E0C35,SHA256=A4ACE44F56A33E65E9D5F205E764F4B44C28148D725C03F1334E8542575FCB81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161779Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:04.132{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119925Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:07.112{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B8C435A353B4209AD3573EBAD2ACF8,SHA256=DE82EE7E4C6FFBEDA73842020301C5985AF1FEF8BB6A5AD6BFA15984E93550D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161782Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:08.927{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB2A383E2D1D014CF833B812807E051,SHA256=5C6C76A5CB29B6D3FFE7FFCBF22C1C8F097A351612A641958482D043A3B1E4E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119926Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:08.127{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41054A82F8F4D2F9766CE8617DA9BD40,SHA256=9A996EC1D4BC0560CD307E34A00416BD33F15BDD467D530E6D107228BF07BEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161781Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:08.744{189417FC-233F-618E-1200-000000000602}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB35E9D525E75024A3DB76D770E0A45D,SHA256=8FDA1C444D2F6C3ECDD675D3764625712C75D88051321969E639A720E742E277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161783Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:09.996{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE9338B26475747360E71903A1DCF25,SHA256=EA89F6E3C4A5FF8A03FCBB7ACF8E5BC1EFB473D3F53016B1C0C36FD32EC0453C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119927Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:09.143{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5444F01931688993E6A00E80772E74E6,SHA256=134B722BA35B4845D4C21118C667E4062541711DE3ABE498AFBBF695321943FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119929Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:10.143{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD11F60B84F93AF5555A0651C8FC704,SHA256=C1A56F8547EC91537188FBA628B9350C3A19A718E179620522D8C04D8F01EB17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119928Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:06.693{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119930Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:11.143{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169FFA0866BD94E66AACC503971658E,SHA256=D7D64890B1478DDFFE19E0956F5BF1A50E6269900254570EB4DDB038E94D4368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161784Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:10.996{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1C0144D0BEA37F706B6C141DDD3F36,SHA256=36FB3305AF9A2B7F98FA6DF7378AE80A3BBFC8DD05F6B481A0DC1A5A3B54ADC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119931Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:12.159{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01975F293D050FFE1DA2926283ED125B,SHA256=136C70975BDAA5D6E533FF9CB02E23E0496CB5EAE1FF49F385E2C765F7563B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161786Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:09.249{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161785Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:11.997{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AC6344F95E7E61D9685B3A8FDF61FB,SHA256=D4C21EA21746DC53A8DAB9302E7E18D08575079F3F277E1F1053BA8AB53C27C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119932Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:13.159{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6B0379279D2272A8A9D58F037FEA28,SHA256=C26D6321285B108711AACA7D6524904AB00CBD2C713B03820DAF4840F009C383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161787Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:13.027{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59510934C7D2D5E67BCE90EDE208AFB1,SHA256=8E2382AA032F48087FBDB74A89C33ECA56D95A5250CDF476170E8157B0DF06A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119934Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:11.787{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000119933Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:14.174{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E7C63EF2C9B02B0484D960EF6A6F2E,SHA256=1421776D84083A8A281D8A45739BF53EB29D4D63CA66CAEC3F1BC2AEC0EA9276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161788Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:14.067{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE1A40060A81A99F1B44540C0E7AA25,SHA256=AA71C251AC2DF17F610F2E9701E9C08016CAF13591C52A53885EF96DA78B4148,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119936Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:56:15.331{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a3-0x2652ab7b) 23542300x8000000000000000119935Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:15.174{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F59E200BFD0E3FA5F1140F1ADA3F48,SHA256=EA261E19E7A63B98E08FB6579A101026E5B3DBDB3AB8E2063DB01CE03B656392,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161790Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-SetValue2021-11-12 08:56:15.599{189417FC-233F-618E-1100-000000000602}508C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a3-0x267ba158) 23542300x8000000000000000161789Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:15.068{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF480C6AFBDF6471D1BF9A3C8E7BA93,SHA256=E091706B9D16AC49EB2F7F13C79D6ADE0D51A5C8357DDA8A78A832E9CA0E41BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119938Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:16.409{147D18E0-233D-618E-1F00-000000000702}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119937Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:16.174{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695691047DBB11266E79B85323135394,SHA256=1B98B1CABC7808C974436C831BE1E6AD9B0D14EECB29F1E71F5D5359BC70C7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161791Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:16.198{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF76AFB84860FF77E1957B5C2990B40F,SHA256=75CDF4A74ED773EB663736D31618F07D962379CCF74E0C410B2A40EDDCAA1264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119953Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C31-618E-9901-000000000702}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119952Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119951Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119950Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119949Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119948Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119947Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119946Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119945Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119944Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119943Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2C31-618E-9901-000000000702}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119942Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C31-618E-9901-000000000702}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119941Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.784{147D18E0-2C31-618E-9901-000000000702}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119940Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:15.943{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000119939Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.377{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24869C452D5EE8EF9B66FEDDAD09EC81,SHA256=11E58C2C64A0D1A1120E879A02EEC5C9647B31CACF7C4756170905A8E9A15DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161793Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:15.089{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161792Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:17.266{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BCD33F9BD755ACDB1CFD3F6FD4EB5C,SHA256=FB08009FDEEF589BBC74799165437758E54A24C518CB448F331C9B45539879F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119969Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.799{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9812886AE06FD48B9E05AF9573CEA4,SHA256=2CBF66487720C8B189AA18C67D9B5F25A0B9F06EA636D043C7CE794E020B64E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119968Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.799{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFD76A1FBA01E3947A6163CC0012B20C,SHA256=E262F65035553FC2304A0ED913CEA5230EF22650402DB164B04F178B372378B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119967Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9AD4F4D11F196BADE8595EDEC1B80A,SHA256=84AB7E8178B952CBB6CAADE91614FE498AF37E0F6BC17FA2E6EB98430772D049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119966Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C32-618E-9A01-000000000702}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119965Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119964Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119963Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119962Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119961Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119960Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119959Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119958Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119957Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119956Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2C32-618E-9A01-000000000702}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119955Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.456{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C32-618E-9A01-000000000702}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119954Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:18.457{147D18E0-2C32-618E-9A01-000000000702}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161794Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:18.266{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADA93F1E1D65CDDB2617649F0DC23FD,SHA256=26BB7E16514B38CC661B16102FE404A26DBBC25D78CA44D6B71B31270E2FB7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119984Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:17.693{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161795Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:19.281{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5734CCE49B598545E74F41BC4EB1D0A,SHA256=1A84C0525E7CF08A33B5977A4458ABD6890562A9F80AB7C836E7035000A87BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119983Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.268{147D18E0-2C33-618E-9B01-000000000702}28962892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119982Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C33-618E-9B01-000000000702}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119981Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119980Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119979Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119978Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119977Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119976Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119975Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119974Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119973Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119972Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233B-618E-0500-000000000702}408424C:\Windows\system32\csrss.exe{147D18E0-2C33-618E-9B01-000000000702}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119971Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.127{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C33-618E-9B01-000000000702}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119970Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:19.128{147D18E0-2C33-618E-9B01-000000000702}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119987Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:20.784{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C3EC014C93BCFB428B04833C9CEA7E,SHA256=5187BD8FCAE5B31AFA39FC3C1F832761F21C10FD43A787FC89CC55F6FE9AF8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161796Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:20.328{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2192EE2E47E2227DFD379E195A9EDB,SHA256=94E69C78DBBCA225CA1D0C4000EF10776EF8B27A6339F3A5BE8BEF32568D65E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119986Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:20.221{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9812886AE06FD48B9E05AF9573CEA4,SHA256=2CBF66487720C8B189AA18C67D9B5F25A0B9F06EA636D043C7CE794E020B64E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119985Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:20.003{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7380CFE5EC4FE88A81F2D90AFD07F1,SHA256=5235E5834AD6F6C51E1C97900FE42D4DD98F917AD32341CACA55F460F7B08365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120015Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C35-618E-9D01-000000000702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120014Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120013Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120012Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120011Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120010Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120009Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120008Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120007Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120006Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233B-618E-0500-000000000702}408992C:\Windows\system32\csrss.exe{147D18E0-2C35-618E-9D01-000000000702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120005Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120004Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.846{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C35-618E-9D01-000000000702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120003Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.847{147D18E0-2C35-618E-9D01-000000000702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120002Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.799{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D69B97E94ED282105F2A8881900C8,SHA256=D63DC9716CAF07D861ACBC16E6A69AF4E85BC9BC86B48EA6F0BE7EFC98CA4A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161798Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:21.850{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\respondent-20211112081825-036MD5=92A6002375909F258C84B36937F7FFCA,SHA256=7F65FF2342FCCC634B9BD6253F1075B90EFC900C14B3E45B18CCA15A44AA6ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161797Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:21.333{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956C9059D602961D5CE883D3FAA4A50B,SHA256=479265AA6CB0E6E1FADFE413DC945D102FD8EEF5D5407473AF4AC516E673E792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120001Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.331{147D18E0-2C35-618E-9C01-000000000702}3441632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120000Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C35-618E-9C01-000000000702}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119999Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119998Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119997Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119996Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119995Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119994Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119993Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119992Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119991Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119990Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2C35-618E-9C01-000000000702}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119989Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C35-618E-9C01-000000000702}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119988Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:21.159{147D18E0-2C35-618E-9C01-000000000702}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161801Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.869{189417FC-234F-618E-2A00-000000000602}2808NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db2d3235079da6d2\channels\health\surveyor-20211112081823-037MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161800Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:20.138{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161799Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.350{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B17D40CA28B470E82BFA56F723EDA36,SHA256=D0C93025F76D45F48B22678A2CD7348A6386238EE7167A73C6774D9C7BED61CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120031Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.518{147D18E0-2C36-618E-9E01-000000000702}34363316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120030Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C36-618E-9E01-000000000702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120029Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120028Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120027Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120026Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120025Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120024Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120023Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120022Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120021Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120020Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2C36-618E-9E01-000000000702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120019Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.346{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C36-618E-9E01-000000000702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120018Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.347{147D18E0-2C36-618E-9E01-000000000702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120017Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.206{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ADEA8E54C34C931286F639337C222E9,SHA256=5B2F9552C514A5462A03B22874A15635258C9BE1A8D3DC5D0000A27ABDE12FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120016Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:22.081{147D18E0-2C35-618E-9D01-000000000702}13043432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120033Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:23.581{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F370EEB2AA98B3386810A885A68F9494,SHA256=EAF776E251A0E035FD94FE55AB7374173707080F5D415165E33A5E51D83AB9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120032Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:23.362{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8287ED0A5AD20F57F15AC0FC4566074,SHA256=D07EE56F8114F75309AB7B3B6CD81E9E904DC51EAAFC60750CC86D95FA7B85AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161803Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:23.583{189417FC-234F-618E-2B00-000000000602}2836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4C1F6DF234150D792D0D043E4718B99D,SHA256=12E5A776F7B3E223C6ED0EF22444C9C721A8637A6F1ABA22E379890FD2AED3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161802Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:23.367{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0B55DDEEDEDDA262CEC3EA848C63BC,SHA256=DB8C1A9B33EEC82DB0B665EB4B74BA59EE00EE7013AA9ADF28BFB5FCE23C881C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120047Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.518{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D97D9935D97910BD81238A58DE78335,SHA256=C8CF47CBA6FAA9DE3DBD7D9DC24AB055261991CB118F689EAF968D066D60784D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161815Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.636{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58830-false93.184.220.29-80http 354300x8000000000000000161814Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.620{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58829-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x8000000000000000161813Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.618{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local56728- 354300x8000000000000000161812Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.599{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58828-false13.224.186.106server-13-224-186-106.fra2.r.cloudfront.net443https 354300x8000000000000000161811Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.598{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local64594- 354300x8000000000000000161810Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.598{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local65408- 354300x8000000000000000161809Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.593{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-362.attackrange.local60742-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000161808Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.593{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local52018- 354300x8000000000000000161807Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.589{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58827-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000161806Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:24.697{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161805Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:24.429{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97A3BD223177ECFBDC9358EBE398604,SHA256=7600AE186C3B8841AE29DCDF4AFB71859B383B69B60A5158EDEEC0F8F58C9CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120046Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233E-618E-2A00-000000000702}28482868C:\Windows\system32\conhost.exe{147D18E0-2C38-618E-9F01-000000000702}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120045Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120044Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120043Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120042Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120041Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120040Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120039Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120038Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120037Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233C-618E-0C00-000000000702}728928C:\Windows\system32\svchost.exe{147D18E0-233D-618E-1C00-000000000702}1908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120036Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233B-618E-0500-000000000702}408524C:\Windows\system32\csrss.exe{147D18E0-2C38-618E-9F01-000000000702}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120035Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.252{147D18E0-233D-618E-1F00-000000000702}19923656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{147D18E0-2C38-618E-9F01-000000000702}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120034Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:24.253{147D18E0-2C38-618E-9F01-000000000702}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{147D18E0-233C-618E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{147D18E0-233D-618E-1F00-000000000702}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161804Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:24.067{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161821Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.803{189417FC-2AAF-618E-A101-000000000602}4352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-362.attackrange.local58831-false18.66.139.67-443https 354300x8000000000000000161820Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.803{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53614- 22542200x8000000000000000161819Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.812{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.97;18.66.139.125;18.66.139.17;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000161818Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.641{189417FC-2AAF-618E-A101-000000000602}4352prod-classifyclient.normandy.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000161817Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.628{189417FC-2AAF-618E-A101-000000000602}4352prod-classifyclient.normandy.prod.cloudops.mozgcp.net034.98.75.36;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000161816Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:25.465{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B02E10D5C1A8A6E6392A0EE63D74899,SHA256=D345B17CE8F55B8D025C0157186908E2F83778D9674179E2683C4064A9A8A4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120050Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:25.518{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E317ADB153DA0E9AD478CA79990560E,SHA256=8DF8026D363F224396444FD4E19816B330B49BA675EAA877ABBCF8899B3F0CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120049Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:25.487{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E03F02504D2DD931CAB6EFBC56D8FCD,SHA256=6F7ADFEEF60C8C80153DCAB8195BA4F69228E718044C1ED6021BAD8C0420372C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120048Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:23.615{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000161824Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:23.888{189417FC-234F-618E-2700-000000000602}2768C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local53736- 23542300x8000000000000000161823Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:26.680{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB6BB70F364FC521F9439AFD6B08C5F,SHA256=BF6842B271BE78ACA4F672E0D6344B4493F0C7FC4F81D7550D15A9D0D54572FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120051Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:26.596{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CF2277EE0D7B3762E228F2EF6B0821,SHA256=A85765CCA1B25A5BBFA35ACB294446B2C150E32CEED07C1F9F5EAD739AEC07E8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000161822Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:22.815{189417FC-2AAF-618E-A101-000000000602}4352d2nxq2uap88usk.cloudfront.net02600:9000:225e:4a00:a:da5e:7900:93a1;2600:9000:225e:4c00:a:da5e:7900:93a1;2600:9000:225e:0:a:da5e:7900:93a1;2600:9000:225e:a600:a:da5e:7900:93a1;2600:9000:225e:aa00:a:da5e:7900:93a1;2600:9000:225e:3e00:a:da5e:7900:93a1;2600:9000:225e:f800:a:da5e:7900:93a1;2600:9000:225e:fe00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000161825Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:27.695{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8462BF30E91892D91F54AFAA2BD088,SHA256=F6BA164B5D166623B8AC83F6B324B1B37D7BD9D815FE31E4A61E19B3BA6E5D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120052Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:27.596{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D5DFBF4091DF7629504D3B1470B814,SHA256=3B5BA5B4265A5B80498CF0A05A5FD12D42A2DDE8EBEEE113058D6EC43A7BCB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161828Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:28.709{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA1E080FBFEE1F96B3429647B41594,SHA256=D34D57D81C9CBDB0E2051A087557B0E3DBFCA62D9374E0F07C6D924A95AD003C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120053Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:28.643{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516B9427AB54C6B39C4E550B4CFF48AB,SHA256=5475332F1C20982F3C0CDDE3C34419950650F1223D813B95BEB63236BAB4CFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161827Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:28.578{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jbrkkcap.default-release\cache2\doomed\4511MD5=FD79FD7F152EF46A0C55389DFE82C28F,SHA256=5E7A8DF8F27B30112478FC6EDD3DC34EDB39315DB55715E6952CA758B9DC0127,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161826Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:25.218{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000120054Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:29.690{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFF8C02EF983A643422F8321150049E,SHA256=A7FF375F42B53618E67AA45FB135CAA8A103F1B8FA02FBBE84CA3D6022152537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161829Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:29.724{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D039DB058F46E7B2AA0A343A088DF1,SHA256=567865570CA34B8B0424EF1C7FC7FD11FB258C4D647D85E17223328821C6598C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161830Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:30.792{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E84B7831230BD1978BC5B48E24112D,SHA256=C714F2D5AFA7EA98BCAF6F01EB33DDEBC711444DDF39BC366C9A22F425D180BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120056Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:30.690{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D283B46E47A1851D7806681176B979BF,SHA256=E111D4B6AF6B39DAF9ABDE0404134147B49D215D26CDE9FF149CFE50515C30B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120055Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:28.709{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161831Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:31.844{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35CD9019267A974C6C162CE89019572,SHA256=C4103F8AD7AA8999D0E268B05BBBDBD656F46320580E0B4B8F0F6BAC6E1A189C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120058Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:31.706{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5D5C6FFD00C2F09DE198D613040D3E,SHA256=DE5FBE5982114C356B964B2824FBC47DDDB671BA26D516D01797543EFC776190,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000120057Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-SetValue2021-11-12 08:56:31.331{147D18E0-233C-618E-1000-000000000702}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7a3-0x2fdc12f8) 23542300x8000000000000000161832Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:32.990{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50359E5FF24EFDEAD3D9D33A9118173,SHA256=52D5E7C4E720C970F19D019177D8247B42C3BA144BC6068F193A077FA983169F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120059Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:32.706{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1427AA7B687E61DC03EAA6F500A33725,SHA256=46C0B8D3283AD1ABED2C70CDA6731551DD939E7BFDE01A41B9388E75E834D706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120060Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:33.721{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE85128AF6E8B084DF7B3C23DAB57412,SHA256=5427661C9C7B55C9B3AB49933D0D2DA855355A041EAA1EC5D3C37A337A13D30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120061Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:34.752{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2DF35295C0941514868B142AE31E71,SHA256=56BB5CFCE5FEED36ED1AA059365F1C5ED7E5F9A2FD9F15569E9E7CC4D2CEAA6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161834Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:31.097{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161833Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:34.006{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2450A48C7351CEEA659F813854CDCE,SHA256=EEF4EDD4C4743B22B39C237B2C5514C5D38C3E007555C968D1BC51866D734F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120062Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:35.815{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143FCA428376D68B4DE79A457D8DA2DA,SHA256=2B7DF0A623B0F279B09D31AA5CEA4F725A3E3DE31C15A79274B8BD17DAB9D7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161839Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:35.794{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161838Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:35.794{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161837Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:35.794{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161836Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:35.794{189417FC-2AAF-618E-A101-000000000602}4352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jbrkkcap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161835Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:35.020{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC197400C2C020FFC29DC0C3853F55B,SHA256=3100EC926D5A30CAC77EE9EA53BF142120AE2A245C0626A03F63E0C89080EC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120063Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:36.846{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B086518F433A28BC50DCDE41A3DAF910,SHA256=EC84DAD0AFB50A618C52D9B396D124FA8B1268B8750C7B251B1BC6F125FBB386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161848Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.944{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C44-618E-E801-000000000602}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161847Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.942{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161846Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.942{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161845Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.942{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161844Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.942{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161843Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.941{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2C44-618E-E801-000000000602}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161842Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.941{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C44-618E-E801-000000000602}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161841Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.941{189417FC-2C44-618E-E801-000000000602}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161840Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.025{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB511459AC3B926D0BD9E7CA2B9CCF64,SHA256=77026B1CB2499A32AF1020F24E484CCD1C646214411319C6B5671BB0A50E0E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120065Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:37.877{147D18E0-234F-618E-6B00-000000000702}1780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958B9B8BD55CBDC55E73B83F2F97E293,SHA256=BB70B4F6022AA12395877BD34A2B5152810E86E8998DCC1DE3D4773101FEAFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161860Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.963{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0370AEDBD18C9D759E5E814FC2D2BFE0,SHA256=79272CE84F55F301B3EF1BAA21BA01FEEFBC407058B1CB5F43A7B96DEBFBE73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161859Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.963{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82308F05582387268F4D8CE52A80BAC3,SHA256=6F8AE183BFF41A6E81E103350EA78E27A49F3ED8350AEC726CD5D592B13D3F99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161858Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.831{189417FC-2C45-618E-E901-000000000602}54921832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161857Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C45-618E-E901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161856Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161855Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161854Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161853Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161852Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-233C-618E-0500-000000000602}412388C:\Windows\system32\csrss.exe{189417FC-2C45-618E-E901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161851Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.608{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C45-618E-E901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161850Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.609{189417FC-2C45-618E-E901-000000000602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161849Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:37.046{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F3ADA806FF65AF525AC2BCAD87DA38,SHA256=AF9CC736B821AD4B0BBD52EE05F2ABD1C118334D5C699A66694F58712235D601,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120064Microsoft-Windows-Sysmon/Operationalwin-host-29.attackrange.local-2021-11-12 08:56:34.600{147D18E0-2347-618E-6100-000000000702}3768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-29.attackrange.local50202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000161869Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-2350-618E-3100-000000000602}28442632C:\Windows\system32\conhost.exe{189417FC-2C46-618E-EA01-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161868Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161867Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161866Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161865Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-233E-618E-0C00-000000000602}8483148C:\Windows\system32\svchost.exe{189417FC-234F-618E-2400-000000000602}2736C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161864Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-233C-618E-0500-000000000602}412428C:\Windows\system32\csrss.exe{189417FC-2C46-618E-EA01-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000161863Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.179{189417FC-234F-618E-2B00-000000000602}28363804C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{189417FC-2C46-618E-EA01-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000161862Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.180{189417FC-2C46-618E-EA01-000000000602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{189417FC-233D-618E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{189417FC-234F-618E-2B00-000000000602}2836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161861Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:38.063{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DABB11ED146AB852FC2AAAA8F65684,SHA256=63BD7A8F7DB5741384B7223DAB84DAF963BFFA9F08F101DA8DA4E4532B8F43C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161873Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:39.225{189417FC-2361-618E-7300-000000000602}3224NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0370AEDBD18C9D759E5E814FC2D2BFE0,SHA256=79272CE84F55F301B3EF1BAA21BA01FEEFBC407058B1CB5F43A7B96DEBFBE73A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161872Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.901{189417FC-233D-618E-0B00-000000000602}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58835-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000161871Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.901{189417FC-234F-618E-2600-000000000602}2760C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-362.attackrange.local58835-true0:0:0:0:0:0:0:1win-dc-362.attackrange.local389ldap 354300x8000000000000000161870Microsoft-Windows-Sysmon/Operationalwin-dc-362.attackrange.local-2021-11-12 08:56:36.184{189417FC-235A-618E-6A00-000000000602}3668C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-362.attackrange.local58834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-